NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All reference

Reference

AI/LLM Infrastructure — Google Dork Catalog (GHDB Format)

Bill Rondell, Nick Adams & Dade Murphy — reference — 54 min read — 11,885 words

Source: https://github.com/nuclide-research/AI-LLM-Infrastructure-OSINT/blob/main/shodan/queries/ghdb-google-dorks

Generated 2026-05-31. 1003 dorks across 11 GHDB categories. Method: GHDB operator grammar (7,943-entry corpus) × verified service fingerprints from this repo’s surveys.

Tiers: 🟡 gold 493 (low-FP, ready) · ⚪ silver 313 (useful, review) · 🟤 bronze 197 (broad/noisy). CVE-mapped: 186.

Hit counts referenced in notes are candidate population from Shodan surveys, not verified findings. Verification is still required per repo methodology. Interactive clickable version: ghdb-ai-dorks.html. Raw data: data/ghdb-ai-dorks.json.

Footholds

309 dorks

TDorkServiceCVENotes
🟡allintitle:"AgentGPT"AgentGPTAgentGPT strict title match (low FP).
🟡allintitle:"Amundsen"AmundsenAmundsen strict title match (low FP).
🟡allintitle:"Anduril Lattice - Login"Anduril LatticeAnduril Lattice strict title match (low FP).
🟡allintitle:"AnythingLLM"AnythingLLMAnythingLLM strict title match (low FP).
🟡intitle:"Airflow"Apache AirflowCVE-2020-13927Apache Airflow (workflow_orchestration). auth on with 8 documented bypass patterns
🟡allintitle:"Airflow"Apache AirflowCVE-2020-13927Apache Airflow strict title match (low FP).
🟡intitle:"Airflow" -site:airflow.apache.org -site:github.comApache AirflowCVE-2020-13927Self-hosted Apache Airflow only; vendor + source excluded. auth on with 8 documented bypass patterns
🟡allintitle:"DolphinScheduler"Apache DolphinSchedulerApache DolphinScheduler strict title match (low FP).
🟡intitle:"Apache Flink Web Dashboard"Apache FlinkCVE-2020-17518Apache Flink (workflow_orchestration). no auth by default
🟡allintitle:"Apache Flink Web Dashboard"Apache FlinkCVE-2020-17518Apache Flink strict title match (low FP).
🟡intitle:"Apache Flink Web Dashboard" -site:flink.apache.org -site:github.comApache FlinkCVE-2020-17518Self-hosted Apache Flink only; vendor + source excluded. no auth by default
🟡intitle:"Apache Superset"Apache SupersetCVE-2023-27524Apache Superset (bi_dashboard). default SECRET_KEY leads to auth bypass
🟡allintitle:"Apache Superset"Apache SupersetCVE-2023-27524Apache Superset strict title match (low FP).
🟡intitle:"Apache Superset" -site:superset.apache.org -site:github.comApache SupersetCVE-2023-27524Self-hosted Apache Superset only; vendor + source excluded. default SECRET_KEY leads to auth bypass
🟡allintitle:"Apache Tika"Apache TikaApache Tika strict title match (low FP).
🟡allintitle:"ArangoDB Web Interface"ArangoDBArangoDB strict title match (low FP).
🟡intitle:"Argilla"ArgillaCVE-2023-38686Argilla (data_labeling). auth on since v1.x; default-public workspace misconfiguration seen
🟡allintitle:"Argilla"ArgillaCVE-2023-38686Argilla strict title match (low FP).
🟡intitle:"Argilla" -site:argilla.io -site:github.comArgillaCVE-2023-38686Self-hosted Argilla only; vendor + source excluded. auth on since v1.x; default-public workspace misconfiguration seen
🟡intitle:"Argo"Argo WorkflowsCVE-2026-28229Argo Workflows (workflow_orchestration). —auth-mode=server disables all credential requirements
🟡intitle:"Argo" -site:argoproj.github.io -site:github.comArgo WorkflowsCVE-2026-28229Self-hosted Argo Workflows only; vendor + source excluded. —auth-mode=server disables all credential requirements
🟡allintitle:"Arize Phoenix"Arize PhoenixArize Phoenix strict title match (low FP).
🟡allintitle:"Authelia"AutheliaAuthelia strict title match (low FP).
🟡intitle:"authentik"AuthentikCVE-2024-47070Authentik (gateway_observability). login required; /api/v3/root/config/ pre-auth accessible
🟡allintitle:"authentik"AuthentikCVE-2024-47070Authentik strict title match (low FP).
🟡intitle:"authentik" -site:goauthentik.io -site:github.comAuthentikCVE-2024-47070Self-hosted Authentik only; vendor + source excluded. login required; /api/v3/root/config/ pre-auth accessible
🟡allintitle:"AutoGPT"AutoGPTAutoGPT strict title match (low FP).
🟡allintitle:"Axolotl"AxolotlAxolotl strict title match (low FP).
🟡allintitle:"browserless"BrowserlessBrowserless strict title match (low FP).
🟡intitle:"CKAN"CKANCVE-2023-32321CKAN (specialty_data). reads open by design
🟡allintitle:"Cadence"Cadence WorkflowCadence Workflow strict title match (low FP).
🟡intitle:"Casdoor"CasdoorCVE-2024-41657Casdoor (gateway_observability). default-creds built-in/admin/123
🟡allintitle:"Casdoor"CasdoorCVE-2024-41657Casdoor strict title match (low FP).
🟡allintitle:"ChatTTS"ChatTTSChatTTS strict title match (low FP).
🟡allintitle:"Chatterbox TTS"Chatterbox TTSChatterbox TTS strict title match (low FP).
🟡allintitle:"Chroma"ChromaDBChromaDB strict title match (low FP).
🟡allintitle:"ClearML"ClearMLClearML strict title match (low FP).
🟡allintitle:"ClickHouse"ClickHouseClickHouse strict title match (low FP).
🟡allintitle:"Collibra"CollibraCollibra strict title match (low FP).
🟡allintitle:"ComfyUI"ComfyUIComfyUI strict title match (low FP).
🟡allintitle:"Dagster"DagsterDagster strict title match (low FP).
🟡allintitle:"DataHub"DataHubDataHub strict title match (low FP).
🟡allintitle:"Determined"Determined AIDetermined AI strict title match (low FP).
🟡allintitle:"Devika"DevikaDevika strict title match (low FP).
🟡allintitle:"doccano"DoccanoDoccano strict title match (low FP).
🟡allintitle:"Docling"DoclingDocling strict title match (low FP).
🟡allintitle:"Evidently - ML Monitoring"Evidently ML MonitoringEvidently ML Monitoring strict title match (low FP).
🟡intitle:"Flowise"FlowiseCVE-2024-36420Flowise (orchestration). mixed auth; pre-1.8.2 auth bypass via path traversal
🟡allintitle:"Flowise"FlowiseCVE-2024-36420Flowise strict title match (low FP).
🟡intitle:"Flowise" -site:flowiseai.com -site:github.comFlowiseCVE-2024-36420Self-hosted Flowise only; vendor + source excluded. mixed auth; pre-1.8.2 auth bypass via path traversal
🟡allintitle:"Flyte Console"FlyteFlyte strict title match (low FP).
🟡allintitle:"GPT Researcher"GPT ResearcherGPT Researcher strict title match (low FP).
🟡intitle:"GPT-SoVITS"GPT-SoVITSCVE-2025-49833GPT-SoVITS (voice_audio). no auth by default; command injection RCE
🟡allintitle:"GPT-SoVITS"GPT-SoVITSCVE-2025-49833GPT-SoVITS strict title match (low FP).
🟡intitle:"GitHub Enterprise"GitHub Enterprise Server (GHES)CVE-2024-9487GitHub Enterprise Server (GHES) (code_assistant). OAuth enforced; SAML bypass on affected versions
🟡allintitle:"GitHub Enterprise"GitHub Enterprise Server (GHES)CVE-2024-9487GitHub Enterprise Server (GHES) strict title match (low FP).
🟡allintitle:"Gradio"GradioGradio strict title match (low FP).
🟡intitle:"Grafana"GrafanaCVE-2021-43798Grafana (bi_dashboard). anonymous access misconfiguration common
🟡allintitle:"Grafana"GrafanaCVE-2021-43798Grafana strict title match (low FP).
🟡intitle:"Grafana" -site:grafana.com -site:github.comGrafanaCVE-2021-43798Self-hosted Grafana only; vendor + source excluded. anonymous access misconfiguration common
🟡allintitle:"Data Docs"Great ExpectationsGreat Expectations strict title match (low FP).
🟡allintitle:"Harbor"HarborHarbor strict title match (low FP).
🟡allintitle:"Helicone"HeliconeHelicone strict title match (low FP).
🟡allintitle:"Hopsworks"HopsworksHopsworks strict title match (low FP).
🟡intitle:"Jupyter"Jupyter Notebook / JupyterLabCVE-2019-10255Jupyter Notebook / JupyterLab (notebook). modern deployments consistently locked; older —NotebookApp.token= blank is unauth RCE
🟡allintitle:"Jupyter"Jupyter Notebook / JupyterLabCVE-2019-10255Jupyter Notebook / JupyterLab strict title match (low FP).
🟡intitle:"Jupyter" -site:jupyter.org -site:github.comJupyter Notebook / JupyterLabCVE-2019-10255Self-hosted Jupyter Notebook / JupyterLab only; vendor + source excluded. modern deployments consistently locked; older —NotebookApp.token= blank is unauth RCE
🟡intitle:"JupyterHub"JupyterHubCVE-2026-33709JupyterHub (notebook). auth on by default since v1.x
🟡allintitle:"JupyterHub"JupyterHubCVE-2026-33709JupyterHub strict title match (low FP).
🟡intitle:"JupyterHub" -site:jupyter.org -site:github.comJupyterHubCVE-2026-33709Self-hosted JupyterHub only; vendor + source excluded. auth on by default since v1.x
🟡allintitle:"Kestra"KestraKestra strict title match (low FP).
🟡intitle:"Keycloak"KeycloakCVE-2024-3656Keycloak (gateway_observability). login required for admin; OIDC discovery endpoints unauthenticated
🟡allintitle:"Keycloak"KeycloakCVE-2024-3656Keycloak strict title match (low FP).
🟡intitle:"Keycloak" -site:keycloak.org -site:github.comKeycloakCVE-2024-3656Self-hosted Keycloak only; vendor + source excluded. login required for admin; OIDC discovery endpoints unauthenticated
🟡allintitle:"Kibana"KibanaKibana strict title match (low FP).
🟡allintitle:"Kokoro"Kokoro TTS / Kokoro-FastAPIKokoro TTS / Kokoro-FastAPI strict title match (low FP).
🟡allintitle:"Kong Manager"Kong AI GatewayKong AI Gateway strict title match (low FP).
🟡allintitle:"Kubeflow Central Dashboard"KubeflowKubeflow strict title match (low FP).
🟡allintitle:"LLaMA Factory"LLaMA FactoryLLaMA Factory strict title match (low FP).
🟡intitle:"Label Studio"Label StudioCVE-2022-25011Label Studio (data_labeling). mandatory auth; /api/projects sometimes misconfigured readable
🟡allintitle:"Label Studio"Label StudioCVE-2022-25011Label Studio strict title match (low FP).
🟡intitle:"Label Studio" -site:labelstud.io -site:github.comLabel StudioCVE-2022-25011Self-hosted Label Studio only; vendor + source excluded. mandatory auth; /api/projects sometimes misconfigured readable
🟡allintitle:"LangGraph"LangGraph ServerLangGraph Server strict title match (low FP).
🟡allintitle:"LangSmith"LangSmithLangSmith strict title match (low FP).
🟡intitle:"Langflow"LangflowCVE-2026-33017Langflow (orchestration). LANGFLOW_AUTO_LOGIN gating in v1.5+, often left open
🟡allintitle:"Langflow"LangflowCVE-2026-33017Langflow strict title match (low FP).
🟡intitle:"Langflow" -site:langflow.org -site:datastax.com -site:github.comLangflowCVE-2026-33017Self-hosted Langflow only; vendor + source excluded. LANGFLOW_AUTO_LOGIN gating in v1.5+, often left open
🟡allintitle:"LibreChat"LibreChatLibreChat strict title match (low FP).
🟡allintitle:"LiteLLM"LiteLLMLiteLLM strict title match (low FP).
🟡allintitle:"LiveKit"LiveKit AgentsLiveKit Agents strict title match (low FP).
🟡allintitle:"Create Llama App"LlamaIndex / Create Llama AppLlamaIndex / Create Llama App strict title match (low FP).
🟡intitle:"MLflow"MLflowCVE-2024-37052MLflow (training_experiment). no auth by default
🟡allintitle:"MLflow"MLflowCVE-2024-37052MLflow strict title match (low FP).
🟡intitle:"MLflow" -site:mlflow.org -site:databricks.com -site:github.comMLflowCVE-2024-37052Self-hosted MLflow only; vendor + source excluded. no auth by default
🟡intitle:"Mage"Mage.aiCVE-2025-2129Mage.ai (workflow_orchestration). no auth pre-v0.9.78; ~1,045 confirmed unauth at disclosure
🟡intitle:"Mage" -site:mage.ai -site:github.comMage.aiCVE-2025-2129Self-hosted Mage.ai only; vendor + source excluded. no auth pre-v0.9.78; ~1,045 confirmed unauth at disclosure
🟡allintitle:"Marquez"Marquez (OpenLineage)Marquez (OpenLineage) strict title match (low FP).
🟡allintitle:"Memgraph Lab"MemgraphMemgraph strict title match (low FP).
🟡allintitle:"MetaGPT"MetaGPTMetaGPT strict title match (low FP).
🟡intitle:"Metabase"MetabaseCVE-2023-38646Metabase (bi_dashboard). setup-wizard bypass; has-user-setup: false = exploitable
🟡allintitle:"Metabase"MetabaseCVE-2023-38646Metabase strict title match (low FP).
🟡intitle:"Metabase" -site:metabase.com -site:github.comMetabaseCVE-2023-38646Self-hosted Metabase only; vendor + source excluded. setup-wizard bypass; has-user-setup: false = exploitable
🟡intitle:"MinIO Browser"MinIOCVE-2023-28432MinIO (container). default-creds minioadmin:minioadmin
🟡allintitle:"MinIO Browser"MinIOCVE-2023-28432MinIO strict title match (low FP).
🟡intitle:"MinIO Browser" -site:min.io -site:github.comMinIOCVE-2023-28432Self-hosted MinIO only; vendor + source excluded. default-creds minioadmin:minioadmin
🟡intitle:"Conductor UI"Netflix ConductorCVE-2020-9296Netflix Conductor (workflow_orchestration). no auth by default
🟡allintitle:"Conductor UI"Netflix ConductorCVE-2020-9296Netflix Conductor strict title match (low FP).
🟡allintitle:"Open WebUI"Open WebUIOpen WebUI strict title match (low FP).
🟡allintitle:"Clawdbot Control"OpenClaw / ClawdbotOpenClaw / Clawdbot strict title match (low FP).
🟡allintitle:"OpenHands"OpenHands (formerly OpenDevin)OpenHands (formerly OpenDevin) strict title match (low FP).
🟡allintitle:"OpenMemory"OpenMemory UI (mem0)OpenMemory UI (mem0) strict title match (low FP).
🟡intitle:"OpenMetadata"OpenMetadataCVE-2024-28255OpenMetadata (specialty_data). auth on but CVE-2024-28255 bypass on <1.3.1; actively exploited
🟡allintitle:"OpenMetadata"OpenMetadataCVE-2024-28255OpenMetadata strict title match (low FP).
🟡allintitle:"OpenSearch Dashboards"OpenSearchOpenSearch strict title match (low FP).
🟡allintitle:"OpenVoice"OpenVoiceOpenVoice strict title match (low FP).
🟡allintitle:"Optuna Dashboard"Optuna DashboardOptuna Dashboard strict title match (low FP).
🟡allintitle:"Orpheus TTS"Orpheus-FastAPI TTSOrpheus-FastAPI TTS strict title match (low FP).
🟡allintitle:"Orthanc Explorer"Orthanc DICOM ServerOrthanc DICOM Server strict title match (low FP).
🟡allintitle:"Perplexica"PerplexicaPerplexica strict title match (low FP).
🟡allintitle:"Pipecat"PipecatPipecat strict title match (low FP).
🟡allintitle:"Playwright"Playwright MCP ServerPlaywright MCP Server strict title match (low FP).
🟡allintitle:"Portkey"PortkeyPortkey strict title match (low FP).
🟡allintitle:"Prefect Server"Prefect ServerPrefect Server strict title match (low FP).
🟡allintitle:"PromptLayer"PromptLayerPromptLayer strict title match (low FP).
🟡allintitle:"promptfoo"PromptfooPromptfoo strict title match (low FP).
🟡allintitle:"Qdrant"QdrantQdrant strict title match (low FP).
🟡intitle:"RVC"RVC (Retrieval-based Voice Conversion)CVE-2025-43842RVC (Retrieval-based Voice Conversion) (voice_audio). no auth by default; RCE via pickle deserialization
🟡intitle:"Ray Dashboard"Ray DashboardCVE-2023-48022Ray Dashboard (training_experiment). no auth; ShadowRay actively exploited
🟡allintitle:"Ray Dashboard"Ray DashboardCVE-2023-48022Ray Dashboard strict title match (low FP).
🟡intitle:"Ray Dashboard" -site:ray.io -site:anyscale.com -site:github.comRay DashboardCVE-2023-48022Self-hosted Ray Dashboard only; vendor + source excluded. no auth; ShadowRay actively exploited
🟡allintitle:"Redash"RedashRedash strict title match (low FP).
🟡intitle:"RedisInsight"RedisCVE-2025-49844Redis (vector_db). no password by default on ~68k of 245k instances
🟡allintitle:"RedisInsight"RedisCVE-2025-49844Redis strict title match (low FP).
🟡intitle:"RedisInsight" -site:redis.io -site:github.comRedisCVE-2025-49844Self-hosted Redis only; vendor + source excluded. no password by default on ~68k of 245k instances
🟡allintitle:"Refact"Refact.ai (self-hosted)Refact.ai (self-hosted) strict title match (low FP).
🟡allintitle:"Omniboard"Sacred / OmniboardSacred / Omniboard strict title match (low FP).
🟡allintitle:"Seldon"Seldon CoreSeldon Core strict title match (low FP).
🟡allintitle:"Selenium Grid"Selenium GridSelenium Grid strict title match (low FP).
🟡allintitle:"Selenoid"SelenoidSelenoid strict title match (low FP).
🟡allintitle:"Sourcebot"SourcebotSourcebot strict title match (low FP).
🟡allintitle:"Sourcegraph"Sourcegraph / CodySourcegraph / Cody strict title match (low FP).
🟡allintitle:"History Server"Spark History ServerSpark History Server strict title match (low FP).
🟡allintitle:"SpeechBrain"SpeechBrainSpeechBrain strict title match (low FP).
🟡allintitle:"Stable Diffusion"Stable Diffusion WebUI (AUTOMATIC1111)Stable Diffusion WebUI (AUTOMATIC1111) strict title match (low FP).
🟡allintitle:"Streamlit"StreamlitStreamlit strict title match (low FP).
🟡allintitle:"Supabase Studio"SupabaseSupabase strict title match (low FP).
🟡allintitle:"SuperAGI"SuperAGISuperAGI strict title match (low FP).
🟡allintitle:"Temporal"Temporal WorkflowTemporal Workflow strict title match (low FP).
🟡allintitle:"TensorBoard"TensorBoardTensorBoard strict title match (low FP).
🟡allintitle:"Tortoise"Tortoise TTSTortoise TTS strict title match (low FP).
🟡allintitle:"TruLens"TruLensTruLens strict title match (low FP).
🟡allintitle:"Unstructured"Unstructured APIUnstructured API strict title match (low FP).
🟡allintitle:"Weaviate"WeaviateWeaviate strict title match (low FP).
🟡allintitle:"Weights & Biases"Weights & Biases (W&B)Weights & Biases (W&B) strict title match (low FP).
🟡allintitle:"Whisper"Whisper ASRWhisper ASR strict title match (low FP).
🟡allintitle:"Windmill"WindmillWindmill strict title match (low FP).
🟡allintitle:"Xinference"XinferenceXinference strict title match (low FP).
🟡allintitle:"ZITADEL"ZitadelZitadel strict title match (low FP).
🟡allintitle:"dcm4chee Archive UI"dcm4chee Archivedcm4chee Archive strict title match (low FP).
🟡intitle:"n8n"n8nCVE-2024-25289n8n (workflow_orchestration). basicauth optional and frequently skipped
🟡intitle:"n8n" -site:n8n.io -site:n8n.cloud -site:github.comn8nCVE-2024-25289Self-hosted n8n only; vendor + source excluded. basicauth optional and frequently skipped
🟡allintitle:"pgAdmin"pgAdminpgAdmin strict title match (low FP).
🟡allintitle:"SoftVC"so-vits-svcso-vits-svc strict title match (low FP).
intitle:"AgentGPT"AgentGPTAgentGPT (agent_framework). full population open-access; 0 auth-gated
intitle:"Amundsen"AmundsenAmundsen (specialty_data). auth absent unless flaskoidc manually configured
intitle:"Anduril Lattice - Login"Anduril LatticeAnduril Lattice (agent_framework). Envoy + SAML auth
intitle:"AnythingLLM"AnythingLLMAnythingLLM (rag_stack). known auth bypass history; single-user mode ships with password protect disabled
intitle:"DolphinScheduler"Apache DolphinSchedulerApache DolphinScheduler (workflow_orchestration). default-creds admin/dolphinscheduler123
intitle:"Apache Tika"Apache TikaApache Tika (gateway_observability). SSRF history; arbitrary file read
intitle:"ArangoDB Web Interface"ArangoDBArangoDB (vector_db). auth defaults to false
intitle:"Arize Phoenix"Arize PhoenixArize Phoenix (gateway_observability). no auth, —host 0.0.0.0 default
intitle:"Arize Phoenix" -site:arize.com -site:github.comArize PhoenixSelf-hosted Arize Phoenix only; vendor + source excluded. no auth, —host 0.0.0.0 default
intitle:"Authelia"AutheliaAuthelia (gateway_observability). login portal to all downstream services
intitle:"browserless"BrowserlessBrowserless (agent_framework). no auth concept
intitle:"CVAT" -site:cvat.ai -site:github.comCVATSelf-hosted CVAT only; vendor + source excluded. auth on by default
intitle:"Chatterbox TTS"Chatterbox TTSChatterbox TTS (voice_audio). no auth; /upload_reference unauth on both variants
intitle:"Chroma" -site:trychroma.com -site:github.comChromaDBSelf-hosted ChromaDB only; vendor + source excluded. no auth by default
intitle:"ClearML" -site:clear.ml -site:github.comClearMLSelf-hosted ClearML only; vendor + source excluded. ships with free access login; explicit opt-in required for real auth
intitle:"ClickHouse"ClickHouseClickHouse (specialty_data). default user ships with empty password
intitle:"ClickHouse" -site:clickhouse.com -site:github.comClickHouseSelf-hosted ClickHouse only; vendor + source excluded. default user ships with empty password
intitle:"Collibra"CollibraCollibra (specialty_data). default-creds Admin/Admin
intitle:"Dagster" -site:dagster.io -site:github.comDagsterSelf-hosted Dagster only; vendor + source excluded. no auth since 2020; runConfigYaml exposes all credentials
intitle:"Determined"Determined AIDetermined AI (training_experiment). default-creds admin with blank password
intitle:"Dify" -site:dify.ai -site:github.comDifySelf-hosted Dify only; vendor + source excluded. login-gated but version leaks in headers
intitle:"Evidently - ML Monitoring"Evidently ML MonitoringEvidently ML Monitoring (gateway_observability). no auth concept in default deploy
intitle:"Flyte Console"FlyteFlyte (workflow_orchestration). useAuth:false in defaults; MinIO default creds
intitle:"GPT Researcher"GPT ResearcherGPT Researcher (agent_framework). all direct-deployment population openly accessible
intitle:"Data Docs"Great ExpectationsGreat Expectations (specialty_data). no auth when Data Docs served externally
intitle:"Harbor" -site:goharbor.io -site:github.comHarborSelf-hosted Harbor only; vendor + source excluded. auth on by default
intitle:"Helicone"HeliconeHelicone (gateway_observability). None
intitle:"Helicone" -site:helicone.ai -site:github.comHeliconeSelf-hosted Helicone only; vendor + source excluded. None
intitle:"Hopsworks"HopsworksHopsworks (specialty_data). default-creds admin@kth.se/admin
intitle:"Kestra" -site:kestra.io -site:github.comKestraSelf-hosted Kestra only; vendor + source excluded. auth off pre-v0.24.0
intitle:"Kibana" -site:elastic.co -site:github.comKibanaSelf-hosted Kibana only; vendor + source excluded. None
intitle:"Kong Manager"Kong AI GatewayKong AI Gateway (gateway_observability). admin API no auth when bound to 0.0.0.0
intitle:"Kong Manager" -site:konghq.com -site:github.comKong AI GatewaySelf-hosted Kong AI Gateway only; vendor + source excluded. admin API no auth when bound to 0.0.0.0
intitle:"Kubeflow Central Dashboard"KubeflowKubeflow (training_experiment). single-user mode no auth
intitle:"Kubeflow Central Dashboard" -site:kubeflow.org -site:github.comKubeflowSelf-hosted Kubeflow only; vendor + source excluded. single-user mode no auth
intitle:"LLaMA Factory"LLaMA FactoryLLaMA Factory (training_experiment). None
intitle:"LangGraph"LangGraph ServerLangGraph Server (agent_framework). no authentication in default configuration
intitle:"LangGraph" -site:langchain.com -site:github.comLangGraph ServerSelf-hosted LangGraph Server only; vendor + source excluded. no authentication in default configuration
intitle:"LangSmith"LangSmithLangSmith (gateway_observability). auth-off on pre-v0.10 deployments
intitle:"LangSmith" -site:langchain.com -site:github.comLangSmithSelf-hosted LangSmith only; vendor + source excluded. auth-off on pre-v0.10 deployments
intitle:"LibreChat"LibreChatLibreChat (rag_stack). multi-provider chat UI, often unauth
intitle:"LibreChat" -site:librechat.ai -site:github.comLibreChatSelf-hosted LibreChat only; vendor + source excluded. multi-provider chat UI, often unauth
intitle:"LiteLLM" -site:litellm.ai -site:berri.ai -site:github.comLiteLLMSelf-hosted LiteLLM only; vendor + source excluded. master key often leaked in env
intitle:"Create Llama App"LlamaIndex / Create Llama AppLlamaIndex / Create Llama App (rag_stack). None
intitle:"Memgraph Lab"MemgraphMemgraph (vector_db). None
intitle:"Attu" -site:milvus.io -site:zilliz.com -site:github.comMilvusSelf-hosted Milvus only; vendor + source excluded. no auth on Attu admin UI
intitle:"Open WebUI"Open WebUIOpen WebUI (orchestration). first-user-admin, effectively unauth on fresh deploys
intitle:"Open WebUI" -site:openwebui.com -site:github.comOpen WebUISelf-hosted Open WebUI only; vendor + source excluded. first-user-admin, effectively unauth on fresh deploys
intitle:"Clawdbot Control"OpenClaw / ClawdbotOpenClaw / Clawdbot (agent_framework). no auth; shell execution, browser automation, email send, calendar write
intitle:"OpenHands"OpenHands (formerly OpenDevin)OpenHands (formerly OpenDevin) (agent_framework). 0% auth-gated; entire population openly accessible
intitle:"OpenHands" -site:all-hands.dev -site:github.comOpenHands (formerly OpenDevin)Self-hosted OpenHands (formerly OpenDevin) only; vendor + source excluded. 0% auth-gated; entire population openly accessible
intitle:"OpenMemory"OpenMemory UI (mem0)OpenMemory UI (mem0) (rag_stack). no auth by default
intitle:"OpenSearch Dashboards"OpenSearchOpenSearch (search_data). None
intitle:"OpenSearch Dashboards" -site:opensearch.org -site:github.comOpenSearchSelf-hosted OpenSearch only; vendor + source excluded. None
intitle:"OpenVoice"OpenVoiceOpenVoice (voice_audio). no auth by default
intitle:"Optuna Dashboard"Optuna DashboardOptuna Dashboard (training_experiment). no auth when containerized
intitle:"Orpheus TTS"Orpheus-FastAPI TTSOrpheus-FastAPI TTS (voice_audio). no auth by default
intitle:"Orthanc Explorer"Orthanc DICOM ServerOrthanc DICOM Server (medical_edge). no auth by default; PHI exposure
intitle:"Perplexica"PerplexicaPerplexica (rag_stack). no auth; developer advisory against public exposure
intitle:"Playwright"Playwright MCP ServerPlaywright MCP Server (mcp). no auth by default
intitle:"Portkey" -site:portkey.ai -site:github.comPortkeySelf-hosted Portkey only; vendor + source excluded. provider API keys in config
intitle:"Prefect Server"Prefect ServerPrefect Server (workflow_orchestration). PREFECT_SERVER_API_AUTH_STRING not set by default
intitle:"Prefect Server" -site:prefect.io -site:github.comPrefect ServerSelf-hosted Prefect Server only; vendor + source excluded. PREFECT_SERVER_API_AUTH_STRING not set by default
intitle:"PromptLayer"PromptLayerPromptLayer (gateway_observability). logs every prompt/response with keys
intitle:"promptfoo"PromptfooPromptfoo (safety_guardrail). no auth gate on API routes
intitle:"promptfoo" -site:promptfoo.dev -site:github.comPromptfooSelf-hosted Promptfoo only; vendor + source excluded. no auth gate on API routes
intitle:"Qdrant" -site:qdrant.tech -site:github.comQdrantSelf-hosted Qdrant only; vendor + source excluded. no auth by default
intitle:"Omniboard"Sacred / OmniboardSacred / Omniboard (training_experiment). no auth; source code with hardcoded creds exposed
intitle:"Selenium Grid"Selenium GridSelenium Grid (agent_framework). no auth in default deploy
intitle:"Selenoid"SelenoidSelenoid (agent_framework). no auth in default deploy
intitle:"Sourcebot"SourcebotSourcebot (code_assistant). None
intitle:"Sourcegraph"Sourcegraph / CodySourcegraph / Cody (code_assistant). built-in auth; free-license instances promote all users to site-admin
intitle:"Sourcegraph" -site:sourcegraph.com -site:github.comSourcegraph / CodySelf-hosted Sourcegraph / Cody only; vendor + source excluded. built-in auth; free-license instances promote all users to site-admin
intitle:"History Server"Spark History ServerSpark History Server (workflow_orchestration). no auth by default; job env vars include AWS/GCS credentials
intitle:"SpeechBrain"SpeechBrainSpeechBrain (voice_audio). no auth on self-hosted wrappers
intitle:"Stable Diffusion"Stable Diffusion WebUI (AUTOMATIC1111)Stable Diffusion WebUI (AUTOMATIC1111) (image_gen). no auth by default
intitle:"Streamlit"StreamlitStreamlit (notebook). no auth concept in framework; T1
intitle:"Streamlit" -site:streamlit.io -site:github.comStreamlitSelf-hosted Streamlit only; vendor + source excluded. no auth concept in framework; T1
intitle:"Supabase Studio"SupabaseSupabase (vector_db). ships with pgvector by default; anon key misconfiguration risk
intitle:"Supabase Studio" -site:supabase.com -site:github.comSupabaseSelf-hosted Supabase only; vendor + source excluded. ships with pgvector by default; anon key misconfiguration risk
intitle:"SuperAGI"SuperAGISuperAGI (agent_framework). some auth friction but mostly open
intitle:"Temporal"Temporal WorkflowTemporal Workflow (workflow_orchestration). noopAuthorizer compiled in; OIDC requires custom plugin
intitle:"Temporal" -site:temporal.io -site:github.comTemporal WorkflowSelf-hosted Temporal Workflow only; vendor + source excluded. noopAuthorizer compiled in; OIDC requires custom plugin
intitle:"TensorBoard"TensorBoardTensorBoard (training_experiment). no auth concept in standalone mode
intitle:"Tortoise"Tortoise TTSTortoise TTS (voice_audio). no auth by default
intitle:"Unstructured"Unstructured APIUnstructured API (gateway_observability). None
intitle:"Weaviate"WeaviateWeaviate (vector_db). anonymous access enabled unless explicitly set to false
intitle:"Weaviate" -site:weaviate.io -site:github.comWeaviateSelf-hosted Weaviate only; vendor + source excluded. anonymous access enabled unless explicitly set to false
intitle:"Weights & Biases"Weights & Biases (W&B)Weights & Biases (W&B) (training_experiment). auth on by default
intitle:"Weights & Biases" -site:wandb.ai -site:github.comWeights & Biases (W&B)Self-hosted Weights & Biases (W&B) only; vendor + source excluded. auth on by default
intitle:"Windmill"WindmillWindmill (workflow_orchestration). default-creds admin@windmill.dev/changeme
intitle:"Xinference"XinferenceXinference (model_serving). no auth by default
intitle:"ZenML" -site:zenml.io -site:github.comZenML ServerSelf-hosted ZenML Server only; vendor + source excluded. default password empty string
intitle:"dcm4chee Archive UI"dcm4chee Archivedcm4chee Archive (medical_edge). Keycloak-fronted; auth state may be misconfigured
🟤intitle:"Agno"Agno (formerly Phidata)Agno (formerly Phidata) (agent_framework). thin deployment surface
🟤intitle:"Aim"Aim Experiment TrackerAim Experiment Tracker (training_experiment). no auth mechanism
🟤intitle:"Atlas"Apache AtlasApache Atlas (specialty_data). default-creds admin/admin
🟤intitle:"Applio"ApplioApplio (voice_audio). no auth by default
🟤intitle:"AutoGPT"AutoGPTAutoGPT (agent_framework). moribund project
🟤intitle:"Axolotl"AxolotlAxolotl (training_experiment). None
🟤intitle:"Bark"Bark TTSBark TTS (voice_audio). no auth by default
🟤intitle:"CVAT"CVATCVAT (data_labeling). auth on by default
🟤intitle:"Cadence"Cadence WorkflowCadence Workflow (workflow_orchestration). CADENCE_WEB_AUTH_STRATEGY=disabled default
🟤intitle:"ChatTTS"ChatTTSChatTTS (voice_audio). no auth by default
🟤intitle:"Chroma"ChromaDBChromaDB (vector_db). no auth by default
🟤intitle:"ClearML"ClearMLClearML (training_experiment). ships with free access login; explicit opt-in required for real auth
🟤intitle:"Comet"Comet MLComet ML (training_experiment). default-creds admin:admin on versions <24.9.8
🟤intitle:"Opik"Comet OpikComet Opik (gateway_observability). auth was feature request as of 2025; likely open
🟤intitle:"ComfyUI"ComfyUIComfyUI (image_gen). no auth by default; ComfyUI-Manager = RCE by design
🟤intitle:"Coqui"Coqui TTSCoqui TTS (voice_audio). no auth by default
🟤intitle:"Dagster"DagsterDagster (workflow_orchestration). no auth since 2020; runConfigYaml exposes all credentials
🟤intitle:"Onyx"Danswer / OnyxDanswer / Onyx (rag_stack). AUTH_TYPE=disabled option; first-run signup required
🟤intitle:"DataHub"DataHubDataHub (specialty_data). GMS backend auth-off by default; JWT not cryptographically verified
🟤intitle:"Devika"DevikaDevika (agent_framework). None
🟤intitle:"Ratel"DgraphDgraph (vector_db). None
🟤intitle:"Dify"DifyDify (orchestration). login-gated but version leaks in headers
🟤intitle:"doccano"DoccanoDoccano (data_labeling). auth on by default; /v1/health open for fingerprinting
🟤intitle:"Docling"DoclingDocling (gateway_observability). None
🟤intitle:"Dyad"DyadDyad (code_assistant). None
🟤intitle:"Gradio"GradioGradio (orchestration). no auth by default
🟤intitle:"Harbor"HarborHarbor (container). auth on by default
🟤intitle:"Hatchet"HatchetHatchet (workflow_orchestration). default-creds admin@example.com/Admin123!!
🟤intitle:"Kestra"KestraKestra (workflow_orchestration). auth off pre-v0.24.0
🟤intitle:"Kibana"KibanaKibana (search_data). None
🟤intitle:"Kokoro"Kokoro TTS / Kokoro-FastAPIKokoro TTS / Kokoro-FastAPI (voice_audio). no auth by default
🟤intitle:"LiteLLM"LiteLLMLiteLLM (gateway_observability). master key often leaked in env
🟤intitle:"LiveKit"LiveKit AgentsLiveKit Agents (voice_audio). JWT required for room ops; health endpoint open
🟤intitle:"Marquez"Marquez (OpenLineage)Marquez (OpenLineage) (specialty_data). no auth by default
🟤intitle:"MetaGPT"MetaGPTMetaGPT (agent_framework). no persistent HTTP service
🟤intitle:"Attu"MilvusMilvus (vector_db). no auth on Attu admin UI
🟤intitle:"Pipecat"PipecatPipecat (voice_audio). no auth by default
🟤intitle:"Piper"Piper TTSPiper TTS (voice_audio). no auth by default
🟤intitle:"Portkey"PortkeyPortkey (gateway_observability). provider API keys in config
🟤intitle:"Qdrant"QdrantQdrant (vector_db). no auth by default
🟤intitle:"Redash"RedashRedash (bi_dashboard). None
🟤intitle:"Refact"Refact.ai (self-hosted)Refact.ai (self-hosted) (code_assistant). auth off initially; community edition accepts any API key value
🟤intitle:"Seldon"Seldon CoreSeldon Core (model_serving). no auth by default; Istio auth opt-in
🟤intitle:"Splash"Splash (Scrapinghub)Splash (Scrapinghub) (agent_framework). no auth by default
🟤intitle:"Trino"Trino / PrestoTrino / Presto (workflow_orchestration). no auth by default
🟤intitle:"TruLens"TruLensTruLens (safety_guardrail). no auth (Streamlit); T1
🟤intitle:"Tyk"Tyk GatewayTyk Gateway (gateway_observability). default-creds shipped in tyk.conf.example
🟤intitle:"Whisper"Whisper ASRWhisper ASR (voice_audio). no auth by default
🟤intitle:"ZenML"ZenML ServerZenML Server (workflow_orchestration). default password empty string
🟤intitle:"ZITADEL"ZitadelZitadel (gateway_observability). System API requires JWT; OIDC discovery unauthenticated
🟤intitle:"pgAdmin"pgAdminpgAdmin (search_data). default creds historically common
🟤intitle:"SoftVC"so-vits-svcso-vits-svc (voice_audio). no auth by default

Pages Containing Login Portals

96 dorks

TDorkServiceCVENotes
🟡intitle:"Airflow" inurl:loginApache AirflowCVE-2020-13927Apache Airflow login portal. auth on with 8 documented bypass patterns
🟡intitle:"Apache Flink Web Dashboard" inurl:loginApache FlinkCVE-2020-17518Apache Flink login portal. no auth by default
🟡intitle:"Apache Superset" inurl:loginApache SupersetCVE-2023-27524Apache Superset login portal. default SECRET_KEY leads to auth bypass
🟡intitle:"Argilla" inurl:loginArgillaCVE-2023-38686Argilla login portal. auth on since v1.x; default-public workspace misconfiguration seen
🟡intitle:"Argo" inurl:loginArgo WorkflowsCVE-2026-28229Argo Workflows login portal. —auth-mode=server disables all credential requirements
🟡intitle:"authentik" inurl:loginAuthentikCVE-2024-47070Authentik login portal. login required; /api/v3/root/config/ pre-auth accessible
🟡intitle:"Casdoor" inurl:loginCasdoorCVE-2024-41657Casdoor login portal. default-creds built-in/admin/123
🟡intitle:"Flowise" inurl:loginFlowiseCVE-2024-36420Flowise login portal. mixed auth; pre-1.8.2 auth bypass via path traversal
🟡intitle:"GitHub Enterprise" inurl:loginGitHub Enterprise Server (GHES)CVE-2024-9487GitHub Enterprise Server (GHES) login portal. OAuth enforced; SAML bypass on affected versions
🟡intitle:"Grafana" inurl:loginGrafanaCVE-2021-43798Grafana login portal. anonymous access misconfiguration common
🟡intitle:"Log in to Grafana"GrafanaGrafana login. CVE-2021-43798 path traversal needs no login.
🟡intitle:"Jupyter" intext:"Password or token" inurl:loginJupyterJupyter token login. Token-in-URL or blank-token instances = notebook RCE.
🟡intitle:"Jupyter" inurl:loginJupyter Notebook / JupyterLabCVE-2019-10255Jupyter Notebook / JupyterLab login portal. modern deployments consistently locked; older —NotebookApp.token= blank is unauth RCE
🟡intitle:"JupyterHub" inurl:loginJupyterHubCVE-2026-33709JupyterHub login portal. auth on by default since v1.x
🟡intitle:"Keycloak" inurl:loginKeycloakCVE-2024-3656Keycloak login portal. login required for admin; OIDC discovery endpoints unauthenticated
🟡intitle:"Label Studio" inurl:loginLabel StudioCVE-2022-25011Label Studio login portal. mandatory auth; /api/projects sometimes misconfigured readable
🟡intitle:"Langflow" inurl:loginLangflowCVE-2026-33017Langflow login portal. LANGFLOW_AUTO_LOGIN gating in v1.5+, often left open
🟡intitle:"Sign in to Langfuse" -site:langfuse.comLangfuseLangfuse sign-in. Open-signup (signUpDisabled:false) gives authenticated API access.
🟡intitle:"MLflow" inurl:loginMLflowCVE-2024-37052MLflow login portal. no auth by default
🟡intitle:"Mage" inurl:loginMage.aiCVE-2025-2129Mage.ai login portal. no auth pre-v0.9.78; ~1,045 confirmed unauth at disclosure
🟡intitle:"Metabase" inurl:loginMetabaseCVE-2023-38646Metabase login portal. setup-wizard bypass; has-user-setup: false = exploitable
🟡intitle:"Login - Metabase"MetabaseMetabase login. /api/session/properties setup-token = claimable admin (CVE-2023-38646).
🟡intitle:"Conductor UI" inurl:loginNetflix ConductorCVE-2020-9296Netflix Conductor login portal. no auth by default
🟡intitle:"Sign in" intext:"Open WebUI" -site:openwebui.comOpen WebUIOpen WebUI sign-in. First account = admin; effectively unauth on fresh installs.
🟡intitle:"Ray Dashboard" inurl:loginRay DashboardCVE-2023-48022Ray Dashboard login portal. no auth; ShadowRay actively exploited
🟡intitle:"authentik" inurl:"/if/flow/"authentikauthentik flow executor. initial-setup flow claimable on fresh deploys (CVE-2024-47070).
🟡intitle:"n8n" inurl:loginn8nCVE-2024-25289n8n login portal. basicauth optional and frequently skipped
intitle:"Aim" inurl:loginAim Experiment TrackerAim Experiment Tracker login portal. no auth mechanism
intitle:"AnythingLLM" intext:"sign in"AnythingLLMAnythingLLM login. Known auth-bypass history; multi-user workspace data.
intitle:"DolphinScheduler" inurl:loginApache DolphinSchedulerApache DolphinScheduler login portal. default-creds admin/dolphinscheduler123
intitle:"Sign In - Superset"Apache SupersetSuperset login. Default SECRET_KEY = session forge (CVE-2023-27524).
intitle:"Apache Tika" inurl:loginApache TikaApache Tika login portal. SSRF history; arbitrary file read
intitle:"Argo CD" intext:"Log in via"Argo CDArgo CD login. /api/v1/settings (public) leaks OIDC issuer = operator attribution.
intitle:"Arize Phoenix" inurl:loginArize PhoenixArize Phoenix login portal. no auth, —host 0.0.0.0 default
intitle:"Authelia" inurl:loginAutheliaAuthelia login portal. login portal to all downstream services
intitle:"Authelia" intext:"Login"AutheliaAuthelia auth portal (often fronts other AI services).
intitle:"Axolotl" inurl:loginAxolotlAxolotl login portal. None
intitle:"CVAT" inurl:loginCVATCVAT login portal. auth on by default
intitle:"Cadence" inurl:loginCadence WorkflowCadence Workflow login portal. CADENCE_WEB_AUTH_STRATEGY=disabled default
intitle:"Sign in to continue" intext:"Casdoor" -site:casdoor.orgCasdoorCasdoor-fronted app login. IAM CRUD when default-admin unchanged.
intitle:"ClearML" inurl:loginClearMLClearML login portal. ships with free access login; explicit opt-in required for real auth
intitle:"Comet" inurl:loginComet MLComet ML login portal. default-creds admin:admin on versions <24.9.8
intitle:"Opik" inurl:loginComet OpikComet Opik login portal. auth was feature request as of 2025; likely open
intitle:"Dagster" inurl:loginDagsterDagster login portal. no auth since 2020; runConfigYaml exposes all credentials
intitle:"Determined" inurl:loginDetermined AIDetermined AI login portal. default-creds admin with blank password
intitle:"Dify" inurl:loginDifyDify login portal. login-gated but version leaks in headers
intitle:"Dify" intext:"Sign in" -site:dify.aiDifyDify sign-in. Self-hosted app-builder; stack version leaks in headers.
intitle:"doccano" inurl:loginDoccanoDoccano login portal. auth on by default; /v1/health open for fingerprinting
intitle:"Docling" inurl:loginDoclingDocling login portal. None
intitle:"Dyad" inurl:loginDyadDyad login portal. None
intitle:"Evidently - ML Monitoring" inurl:loginEvidently ML MonitoringEvidently ML Monitoring login portal. no auth concept in default deploy
intitle:"Sign in" intext:"Flowise" -site:flowiseai.comFlowiseFlowise login. Pre-1.8.2 auth bypass (CVE-2024-36420).
intitle:"Flyte Console" inurl:loginFlyteFlyte login portal. useAuth:false in defaults; MinIO default creds
intitle:"Gradio" inurl:loginGradioGradio login portal. no auth by default
intitle:"Hatchet" inurl:loginHatchetHatchet login portal. default-creds admin@example.com/Admin123!!
intitle:"Helicone" inurl:loginHeliconeHelicone login portal. None
intitle:"JupyterHub" inurl:"hub/login"JupyterHubJupyterHub login. Misconfig = notebook exec as server user.
intitle:"Kestra" inurl:loginKestraKestra login portal. auth off pre-v0.24.0
intitle:"Welcome to Keycloak"KeycloakKeycloak welcome/admin. CVE-2024-3656 admin API class.
inurl:"/auth/realms/" intext:"account"KeycloakKeycloak realm endpoint. Enumerates realms + clients.
intitle:"Kong Manager" inurl:loginKong AI GatewayKong AI Gateway login portal. admin API no auth when bound to 0.0.0.0
intitle:"Kubeflow Central Dashboard" inurl:loginKubeflowKubeflow login portal. single-user mode no auth
allintitle:"Sign In Kubeflow"KubeflowKubeflow Central Dashboard login. Pipelines + notebooks + model registry.
intitle:"LLaMA Factory" inurl:loginLLaMA FactoryLLaMA Factory login portal. None
intitle:"Label Studio" intext:"Log In"Label StudioLabel Studio login (CVE-2022-25011 class). Annotation projects + data.
intitle:"LangSmith" inurl:loginLangSmithLangSmith login portal. auth-off on pre-v0.10 deployments
intitle:"Sign in" intext:"LibreChat"LibreChatLibreChat login. Registration-open instances grant chat + configured provider keys.
intitle:"LiteLLM" inurl:loginLiteLLMLiteLLM login portal. master key often leaked in env
intitle:"Sign In" intext:"MLflow" -site:databricks.comMLflowMLflow auth page. Default config has no auth behind it.
intitle:"Open WebUI" inurl:loginOpen WebUIOpen WebUI login portal. first-user-admin, effectively unauth on fresh deploys
intitle:"Optuna Dashboard" inurl:loginOptuna DashboardOptuna Dashboard login portal. no auth when containerized
intitle:"Orthanc Explorer" inurl:loginOrthanc DICOM ServerOrthanc DICOM Server login portal. no auth by default; PHI exposure
intitle:"Portainer" intext:"login"PortainerPortainer (Docker UI). Often fronts AI container stacks; container takeover.
intitle:"Portkey" inurl:loginPortkeyPortkey login portal. provider API keys in config
intitle:"Prefect Server" inurl:loginPrefect ServerPrefect Server login portal. PREFECT_SERVER_API_AUTH_STRING not set by default
intitle:"PromptLayer" inurl:loginPromptLayerPromptLayer login portal. logs every prompt/response with keys
intitle:"RagFlow" intext:"Sign in"RAGFlowRAGFlow login (CVE-2024-12880). Knowledge bases + ingestion.
intitle:"Ray" intext:"Dashboard" inurl:8265Ray DashboardRay Dashboard (CVE-2023-48022 ShadowRay unauth RCE).
intitle:"Redash" inurl:loginRedashRedash login portal. None
intitle:"Refact" inurl:loginRefact.ai (self-hosted)Refact.ai (self-hosted) login portal. auth off initially; community edition accepts any API key value
intitle:"Omniboard" inurl:loginSacred / OmniboardSacred / Omniboard login portal. no auth; source code with hardcoded creds exposed
intitle:"Sourcebot" inurl:loginSourcebotSourcebot login portal. None
intitle:"Sourcegraph" inurl:loginSourcegraph / CodySourcegraph / Cody login portal. built-in auth; free-license instances promote all users to site-admin
intitle:"History Server" inurl:loginSpark History ServerSpark History Server login portal. no auth by default; job env vars include AWS/GCS credentials
intitle:"Streamlit" inurl:loginStreamlitStreamlit login portal. no auth concept in framework; T1
intitle:"Temporal" inurl:loginTemporal WorkflowTemporal Workflow login portal. noopAuthorizer compiled in; OIDC requires custom plugin
intitle:"TensorBoard" inurl:loginTensorBoardTensorBoard login portal. no auth concept in standalone mode
intitle:"Trino" inurl:loginTrino / PrestoTrino / Presto login portal. no auth by default
intitle:"Tyk" inurl:loginTyk GatewayTyk Gateway login portal. default-creds shipped in tyk.conf.example
intitle:"Unstructured" inurl:loginUnstructured APIUnstructured API login portal. None
intitle:"Weights & Biases" inurl:loginWeights & Biases (W&B)Weights & Biases (W&B) login portal. auth on by default
intitle:"Windmill" inurl:loginWindmillWindmill login portal. default-creds admin@windmill.dev/changeme
intitle:"ZenML" inurl:loginZenML ServerZenML Server login portal. default password empty string
intitle:"ZITADEL" inurl:loginZitadelZitadel login portal. System API requires JWT; OIDC discovery unauthenticated
intitle:"dcm4chee Archive UI" inurl:logindcm4chee Archivedcm4chee Archive login portal. Keycloak-fronted; auth state may be misconfigured
intitle:"n8n" intext:"Sign in" -site:n8n.ion8nn8n sign-in. owner setup sometimes skipped; /rest/ legacy API may be ungated.

Sensitive Directories

65 dorks

TDorkServiceCVENotes
🟡intitle:"index of" intext:"chroma.sqlite3"ChromaDBChromaDB artifact directory (chroma.sqlite3) exposed.
🟡intitle:"index of" "chroma.sqlite3"ChromaDBChromaDB persistent store. Embeddings + source document text + metadata.
🟡intitle:"index of" intext:".safetensors"ComfyUIComfyUI artifact directory (.safetensors) exposed.
🟡intitle:"index of" intext:"checkpoints"ComfyUIComfyUI artifact directory (checkpoints) exposed.
🟡intitle:"index of" "index.faiss"FAISSFAISS index (LangChain/LlamaIndex default). Paired index.pkl holds the docs.
🟡intitle:"index of" "index.pkl" intext:"faiss"FAISSFAISS docstore pickle. Deserialization-sensitive + leaks indexed corpus.
🟡intitle:"index of" "service_account.json"GCPGCP service-account key. Vertex AI / GCS access in one file.
🟡intitle:"index of" intext:"model.safetensors"Hugging Face TGIHugging Face TGI artifact directory (model.safetensors) exposed.
🟡intitle:"index of" ".huggingface" intext:"token"HuggingFaceHuggingFace cached token dir. hf_ token = model/dataset/Space access.
🟡intitle:"index of" intext:".ckpt"InvokeAIInvokeAI artifact directory (.ckpt) exposed.
🟡intitle:"index of" intext:".ipynb" intext:"OPENAI"JupyterNotebooks in an open dir containing OpenAI key references.
🟡intitle:"index of" "kaggle.json"KaggleKaggle API token. Dataset + competition access.
🟡intitle:"index of" intext:".lance"LanceDBLanceDB artifact directory (.lance) exposed.
🟡intitle:"index of" ".lance"LanceDBLanceDB columnar vector store files.
🟡intitle:"index of" "litellm_config.yaml"LiteLLMLiteLLM proxy config. model_list with provider api_key values inline.
🟡intitle:"index of" "docstore.json"LlamaIndexLlamaIndex storage dir. Full ingested document store + node graph.
🟡intitle:"index of" intext:".gguf"LocalAILocalAI artifact directory (.gguf) exposed.
🟡intitle:"index of" intext:"mlruns"MLflowCVE-2024-37052MLflow artifact directory (mlruns) exposed.
🟡intitle:"index of" "mlruns"MLflowMLflow mlruns tree. Params, metrics, artifacts, model registry per run.
🟡intitle:"index of" intext:"qdrant_storage"QdrantQdrant artifact directory (qdrant_storage) exposed.
🟡intitle:"index of" "qdrant_storage"QdrantQdrant on-disk storage dir. Raw vectors + payloads.
🟡intitle:"index of" intext:"models/Stable-diffusion"Stable Diffusion WebUI (AUTOMATIC1111)Stable Diffusion WebUI (AUTOMATIC1111) artifact directory (models/Stable-diffusion) exposed.
🟡intitle:"index of" ".streamlit"StreamlitStreamlit config dir. secrets.toml holds API keys + DB creds in plaintext.
🟡intitle:"index of" "secrets.toml"StreamlitStreamlit secrets file directly. Provider keys, DB strings.
🟡intitle:"index of" intext:"events.out.tfevents"TensorBoardTensorBoard artifact directory (events.out.tfevents) exposed.
🟡intitle:"index of" "events.out.tfevents"TensorBoardTensorBoard event files. Loss/metric curves, graph, sometimes sample data.
🟡intitle:"index of" intext:"ggml-base.bin"Whisper ASRWhisper ASR artifact directory (ggml-base.bin) exposed.
🟡intitle:"index of" "train.jsonl"datasetTraining corpus in JSONL. The actual fine-tune data, often proprietary or PII.
🟡intitle:"index of" "adapter_model.safetensors"fine-tuneLoRA/QLoRA fine-tune adapter. Reveals what a base model was specialized on.
🟡intitle:"index of" "trainer_state.json"fine-tuneHF Trainer state: loss curve, LR schedule, checkpoint steps. Training-run disclosure.
🟡intitle:index.of "models/Stable-diffusion"image_genAUTOMATIC1111/ComfyUI checkpoint dir. SD/SDXL/LoRA model store.
🟡intitle:"index of" ".safetensors"model weightsOpen dir of SafeTensors model weights. Fine-tuned model IP + training-compute cost.
🟡intitle:"index of" ".gguf"model weightsOpen dir of GGUF quantized weights (llama.cpp/Ollama). Full model exfil.
🟡intitle:"index of" "consolidated.00.pth"model weightsLlama/Mistral raw checkpoint shard. Original weights, pre-quant.
🟡intitle:"index of" "pytorch_model.bin"model weightsHuggingFace PyTorch weight file in an open listing.
🟡intitle:"index of" "embeddings.pkl"ragPickled embedding store. Deserialization risk + corpus leak.
🟡intitle:"index of" intext:"config.json"vLLMvLLM artifact directory (config.json) exposed.
🟡intitle:"index of" intext:"tokenizer.json"vLLMvLLM artifact directory (tokenizer.json) exposed.
intitle:"index of" "docker-compose.yml" intext:"flowise"FlowiseFlowise compose file. Often embeds FLOWISE_USERNAME/PASSWORD.
intitle:"index of" ".ipynb_checkpoints"JupyterJupyter checkpoint dir. Autosaved notebooks, frequently with inline keys.
intitle:index.of ".jupyter"JupyterJupyter config dir. jupyter_server_config may hold a hashed/again token.
intitle:"index of" "litellm" intext:".yaml"LiteLLMLiteLLM yaml config in an open listing.
intitle:"index of" "index_store.json"LlamaIndexLlamaIndex index metadata. Confirms a persisted RAG index.
index.of.mlrunsMLflowDotted-form sweep for MLflow run trees.
intitle:"index of" "docker-compose.yml" intext:"ollama"OllamaOllama compose file. Port maps, volumes, env vars.
intitle:index.of "raft_state.json"QdrantQdrant cluster raft state in an open listing.
intitle:index.of "wandb" intext:"run-"W&BWeights & Biases local run dir. Configs, logs, possibly API key in settings.
"Index of" "/weaviate_data"WeaviateWeaviate persistence volume in an open listing.
intitle:"index of" "agent_memory"agentPersisted agent memory dir. Conversation history + tool state.
intitle:"index of" "chat_history" intext:".json"agentStored chat transcripts. Prompt + PII exposure.
intitle:"index of" "dataset.jsonl"datasetGeneric dataset JSONL in an open listing.
intitle:"index of" "embeddings.parquet"datasetParquet embedding export. Bulk vector + metadata dump.
intitle:index.of "finetune" intext:".jsonl"datasetFine-tune data directory.
intitle:"index of" ".dvc" intext:"config"datasetDVC data-version config. Remote storage URLs + sometimes creds.
intitle:index.of "checkpoint-" intext:"trainer_state"fine-tuneHF Trainer checkpoint dir series.
intitle:"index of" "loras" intext:".safetensors"image_genLoRA directory for diffusion models. Custom-trained styles/subjects.
intitle:"index of" "system_prompt" intext:".txt"promptsStored system prompts. Reveals agent instructions + guardrail logic.
intitle:"index of" "prompts" intext:".jinja"promptsJinja prompt template dir. Prompt-injection surface mapping.
intitle:"index of" "vectorstore"ragGeneric RAG vector store dir. Embeddings + chunked source docs.
intitle:index.of.embeddingsragDotted-form sweep for embedding directories.
intitle:"index of" "lightning_logs"trainingPyTorch Lightning log tree. Checkpoints + hparams.yaml.
intitle:"index of" "optuna.db"trainingOptuna study SQLite. Hyperparameter search trials.
intitle:"index of" "deepspeed_config.json"trainingDeepSpeed training config. Cluster + optimizer setup disclosure.
intitle:"index of" "params.yaml" intext:"model"trainingDVC/ML pipeline params. Model + training hyperparameters.
intitle:index.of "checkpoints" intext:".pt"trainingPyTorch checkpoint dir (.pt). Resumable training weights.

Web Server Detection

247 dorks

TDorkServiceCVENotes
🟡intext:"apache airflow" -site:github.comApache AirflowCVE-2020-13927Apache Airflow body fingerprint.
🟡intext:"dag-runs" -site:github.comApache AirflowCVE-2020-13927Apache Airflow body fingerprint.
🟡intext:"Apache Atlas" -site:github.comApache AtlasApache Atlas body fingerprint.
🟡intext:"/api/atlas/v2" -site:github.comApache AtlasApache Atlas body fingerprint.
🟡intext:"/dolphinscheduler/ui" -site:github.comApache DolphinSchedulerApache DolphinScheduler body fingerprint.
🟡intext:"flink-version" -site:github.comApache FlinkCVE-2020-17518Apache Flink body fingerprint.
🟡intext:"apache_superset" -site:github.comApache SupersetCVE-2023-27524Apache Superset body fingerprint.
🟡intext:"superset_load_chart" -site:github.comApache SupersetCVE-2023-27524Apache Superset body fingerprint.
🟡intext:"argoproj" -site:github.comArgo WorkflowsCVE-2026-28229Argo Workflows body fingerprint.
🟡intext:"goauthentik.io" -site:github.comAuthentikCVE-2024-47070Authentik body fingerprint.
🟡intext:"AutoGen Studio" -site:github.comAutoGen / AutoGen StudioAutoGen / AutoGen Studio body fingerprint.
🟡intext:"suno-ai/bark" -site:github.comBark TTSBark TTS body fingerprint.
🟡intext:"/api/3/action" -site:github.comCKANCVE-2023-32321CKAN body fingerprint.
🟡intext:"Computer Vision Annotation Tool" -site:github.comCVATCVAT body fingerprint.
🟡intext:"built-in" -site:github.comCasdoorCVE-2024-41657Casdoor body fingerprint.
🟡intext:"/api/v1/heartbeat" -site:github.comChromaDBChromaDB body fingerprint.
🟡intext:"nanosecond heartbeat" -site:github.comChromaDBChromaDB: Unique body match for /api/v*/heartbeat. 48/48 surveyed unauth.
🟡intext:"availableAccounts" -site:github.comClaude RelayClaude Relay: Pooled-Anthropic-account relay schema. Co-anchor thirdPartyMaxConcurrent for zero-FP.
🟡intext:"/api/v1/cognify" -site:github.comCogneeCognee body fingerprint.
🟡intext:"/api/test-cases" -site:github.comDeepEvalDeepEval body fingerprint.
🟡intext:"/v1/projects" -site:github.comDoccanoDoccano body fingerprint.
🟡intext:"/v2/_catalog" -site:github.comDocker RegistryDocker Registry body fingerprint.
🟡intext:"DocsGPT" -site:github.comDocsGPTCVE-2025-0868DocsGPT body fingerprint.
🟡intext:"elasticsearch" -site:github.comElasticsearchCVE-2024-23445Elasticsearch body fingerprint.
🟡intext:"lucene_version" -site:github.comElasticsearchCVE-2024-23445Elasticsearch body fingerprint.
🟡intext:"Low-code LLM apps builder" -site:github.comFlowiseCVE-2024-36420Flowise body fingerprint.
🟡intext:"/set_gpt_weights" -site:github.comGPT-SoVITSCVE-2025-49833GPT-SoVITS body fingerprint.
🟡intext:"/api/kernels" -site:github.comJupyter Notebook / JupyterLabCVE-2019-10255Jupyter Notebook / JupyterLab body fingerprint.
🟡intext:"/hub/login" -site:github.comJupyterHubCVE-2026-33709JupyterHub body fingerprint.
🟡intext:"kestra/kestra" -site:github.comKestraKestra body fingerprint.
🟡intext:"/realms/master" -site:github.comKeycloakCVE-2024-3656Keycloak body fingerprint.
🟡intext:"public_key" -site:github.comKeycloakCVE-2024-3656Keycloak body fingerprint.
🟡intext:"/dev/captioned_speech" -site:github.comKokoro TTS / Kokoro-FastAPIKokoro TTS / Kokoro-FastAPI body fingerprint.
🟡intext:"LLM Guard API" -site:github.comLLM Guard (Protect AI)LLM Guard (Protect AI) body fingerprint.
🟡intext:"laiyer/llm-guard" -site:github.comLLM Guard (Protect AI)LLM Guard (Protect AI) body fingerprint.
🟡intext:"label-studio" -site:github.comLabel StudioCVE-2022-25011Label Studio body fingerprint.
🟡intext:"/api/v1/auto_login" -site:github.comLangflowCVE-2026-33017Langflow body fingerprint.
🟡intext:"signUpDisabled:false" -site:github.comLangfuseLangfuse: Open-signup: anyone can register and gain authenticated API access. In NEXT_DATA on /auth/sign-in.
🟡intext:"litellm_global_spend" -site:github.comLiteLLMLiteLLM: Exposes operator cumulative LLM spend without auth.
🟡intext:"meta-llama/Llama-Guard" -site:github.comLlamaGuardLlamaGuard body fingerprint.
🟡intext:"protocolVersion" -site:github.comMCPMCP: JSON-RPC initialize response field. Strongest honeypot filter (1.1% pollution).
🟡intext:"/api/2.0/mlflow" -site:github.comMLflowCVE-2024-37052MLflow body fingerprint.
🟡intext:"MONAI Label" -site:github.comMONAI Label ServerMONAI Label Server body fingerprint.
🟡intext:"MONAI Inference" -site:github.comMONAI Label ServerMONAI Label Server body fingerprint.
🟡intext:"mage-ai" -site:github.comMage.aiCVE-2025-2129Mage.ai body fingerprint.
🟡intext:"/api/session/properties" -site:github.comMetabaseCVE-2023-38646Metabase body fingerprint.
🟡intext:"metabase_session" -site:github.comMetabaseCVE-2023-38646Metabase body fingerprint.
🟡intext:"setup-token" -site:github.comMetabaseCVE-2023-38646Metabase: Non-null in /api/session/properties = admin registration claimable via POST /api/setup. Two-request takeover.
🟡intext:"MinIO Console" -site:github.comMinIOCVE-2023-28432MinIO body fingerprint.
🟡intext:"nvidia nim" -site:github.comNVIDIA NIMCVE-2025-23242NVIDIA NIM body fingerprint.
🟡intext:"nemo-toolkit" -site:github.comNVIDIA NeMo (ASR)CVE-2025-23242NVIDIA NeMo (ASR) body fingerprint.
🟡intext:"NVIDIA NeMo" -site:github.comNVIDIA NeMo (ASR)CVE-2025-23242NVIDIA NeMo (ASR) body fingerprint.
🟡intext:"ownerApp" -site:github.comNetflix ConductorCVE-2020-9296Netflix Conductor body fingerprint.
🟡intext:"/api/metadata/workflow" -site:github.comNetflix ConductorCVE-2020-9296Netflix Conductor body fingerprint.
🟡intext:"Ollama is running" -site:github.comOllamaCVE-2024-37032Ollama body fingerprint.
🟡intext:"/v1/policies" -site:github.comOpen Policy Agent (OPA)Open Policy Agent (OPA) body fingerprint.
🟡intext:"/v1/data" -site:github.comOpen Policy Agent (OPA)Open Policy Agent (OPA) body fingerprint.
🟡intext:"/api/options/config" -site:github.comOpenHandsOpenHands: Returns {“APP_MODE”:“oss”}. OPENHANDS_AUTH_TOKEN unset by default. Filesystem access.
🟡intext:"open-metadata" -site:github.comOpenMetadataCVE-2024-28255OpenMetadata body fingerprint.
🟡intext:"/v1/audio/speech" -site:github.comOrpheus-FastAPI TTSOrpheus-FastAPI TTS body fingerprint.
🟡intext:"/admin/clients" -site:github.comOry HydraOry Hydra body fingerprint.
🟡intext:"/admin/identities" -site:github.comOry KratosOry Kratos body fingerprint.
🟡intext:"csrf_protection_enabled:false" -site:github.comPrefectPrefect: Default config; CSRF disabled + cors ’*’. 9/15 sampled unauth.
🟡intext:"/api/evals" -site:github.comPromptfooPromptfoo body fingerprint.
🟡intext:"pyannote/audio" -site:github.comPyannotePyannote body fingerprint.
🟡intext:"Qdrant Web UI" -site:github.comQdrantQdrant body fingerprint.
🟡intext:"second brain" -site:github.comQuivrQuivr body fingerprint.
🟡intext:"ragflow" -site:github.comRAGFlowCVE-2024-12880RAGFlow body fingerprint.
🟡intext:"rvc-webui" -site:github.comRVC (Retrieval-based Voice Conversion)CVE-2025-43842RVC (Retrieval-based Voice Conversion) body fingerprint.
🟡intext:"Retrieval-based-Voice-Conversion" -site:github.comRVC (Retrieval-based Voice Conversion)CVE-2025-43842RVC (Retrieval-based Voice Conversion) body fingerprint.
🟡intext:"ray serve" -site:github.comRay DashboardCVE-2023-48022Ray Dashboard body fingerprint.
🟡intext:"/api/data_sources" -site:github.comRedashRedash body fingerprint.
🟡intext:"Redis Stack" -site:github.comRedisCVE-2025-49844Redis body fingerprint.
🟡intext:"Grid Console" -site:github.comSelenium GridSelenium Grid body fingerprint.
🟡intext:"Spark History Server" -site:github.comSpark History ServerSpark History Server body fingerprint.
🟡intext:"/v1/completions" -site:github.comTabby (TabbyML)Tabby (TabbyML) body fingerprint.
🟡intext:"/data/runs" -site:github.comTensorBoardTensorBoard body fingerprint.
🟡intext:"nextPageToken" -site:github.comTorchServeCVE-2023-43654TorchServe body fingerprint.
🟡intext:"/analyze/prompt" -site:github.comVigil LLMVigil LLM body fingerprint.
🟡intext:"Weaviate Console" -site:github.comWeaviateWeaviate body fingerprint.
🟡intext:"nearly-live implementation" -site:github.comWhisperLiveWhisperLive body fingerprint.
🟡intext:"/ui/console" -site:github.comZitadelZitadel body fingerprint.
🟡intext:"Infinity Emb" -site:github.cominfinity-embeddinginfinity-embedding body fingerprint.
🟡intext:"/v1/chat/completions" -site:github.comllama.cppllama.cpp body fingerprint.
🟡intext:"/rest/login" -site:github.comn8nCVE-2024-25289n8n body fingerprint.
🟡intext:"n8n - Workflow Automation" -site:github.comn8nCVE-2024-25289n8n body fingerprint.
intext:"Agent UI" -site:github.comAgno (formerly Phidata)Agno (formerly Phidata) body fingerprint.
intext:"KafkaTopicList" -site:github.comApache Kafka REST ProxyApache Kafka REST Proxy body fingerprint.
intext:"MusicGen" -site:github.comAudioCraft / MusicGenAudioCraft / MusicGen body fingerprint.
intext:"cadenceClusters" -site:github.comCadence WorkflowCadence Workflow body fingerprint.
intext:"Evidently.AI" -site:github.comEvidently ML MonitoringEvidently ML Monitoring body fingerprint.
intext:"InvokeAI" -site:github.comInvokeAIInvokeAI body fingerprint.
intext:"taskRunList" -site:github.comKestraKestra body fingerprint.
intext:"LightRAG" -site:github.comLightRAGLightRAG body fingerprint.
intext:"Llama-Guard-3" -site:github.comLlamaGuardLlamaGuard body fingerprint.
intext:"focusMode" -site:github.comPerplexicaPerplexica body fingerprint.
intext:"AUTOMATIC1111" -site:github.comStable Diffusion WebUI (AUTOMATIC1111)Stable Diffusion WebUI (AUTOMATIC1111) body fingerprint.
intext:"StyleTTS" -site:github.comStyleTTS2StyleTTS2 body fingerprint.
intext:"buildIdBasedVersioning" -site:github.comTemporal WorkflowTemporal Workflow body fingerprint.
intext:"nodeVersion" -site:github.comTrino / PrestoTrino / Presto body fingerprint.
intext:"WhisperX" -site:github.comWhisper ASRWhisper ASR body fingerprint.
intext:"WhisperLive" -site:github.comWhisperLiveWhisperLive body fingerprint.
🟤intext:"abliterated" -site:github.comAbliterated/refusal-stripped Ollama modelsAbliterated/refusal-stripped Ollama models body fingerprint.
🟤intext:"qwen3.5-abliterated" -site:github.comAbliterated/refusal-stripped Ollama modelsAbliterated/refusal-stripped Ollama models body fingerprint.
🟤intext:"reworkd" -site:github.comAgentGPTAgentGPT body fingerprint.
🟤intext:"agno-agents" -site:github.comAgno (formerly Phidata)Agno (formerly Phidata) body fingerprint.
🟤intext:"AllTalk" -site:github.comAllTalk TTSAllTalk TTS body fingerprint.
🟤intext:"andurilapis" -site:github.comAnduril LatticeAnduril Lattice body fingerprint.
🟤intext:"arangodb" -site:github.comArangoDBArangoDB body fingerprint.
🟤intext:"arize-phoenix" -site:github.comArize PhoenixArize Phoenix body fingerprint.
🟤intext:"audiocraft" -site:github.comAudioCraft / MusicGenAudioCraft / MusicGen body fingerprint.
🟤intext:"autogen" -site:github.comAutoGen / AutoGen StudioAutoGen / AutoGen Studio body fingerprint.
🟤intext:"suno-ai" -site:github.comBark TTSBark TTS body fingerprint.
🟤intext:"bentoml" -site:github.comBentoMLBentoML body fingerprint.
🟤intext:"cadence-web" -site:github.comCadence WorkflowCadence Workflow body fingerprint.
🟤intext:"Chainlit" -site:github.comChainlitChainlit body fingerprint.
🟤intext:"chatterbox" -site:github.comChatterbox TTSChatterbox TTS body fingerprint.
🟤intext:"chromadb" -site:github.comChromaDBChromaDB body fingerprint.
🟤intext:"cognita" -site:github.comCognitaCognita body fingerprint.
🟤intext:"truefoundry" -site:github.comCognitaCognita body fingerprint.
🟤intext:"comet-ml" -site:github.comComet MLComet ML body fingerprint.
🟤intext:"comet" -site:github.comComet OpikComet Opik body fingerprint.
🟤intext:"dagster_webserver_version" -site:github.comDagsterDagster body fingerprint.
🟤intext:"danswer" -site:github.comDanswer / OnyxDanswer / Onyx body fingerprint.
🟤intext:"connector" -site:github.comDanswer / OnyxDanswer / Onyx body fingerprint.
🟤intext:"datahubproject" -site:github.comDataHubDataHub body fingerprint.
🟤intext:"deepeval" -site:github.comDeepEvalDeepEval body fingerprint.
🟤intext:"system_health" -site:github.comDeepgram Self-HostedDeepgram Self-Hosted body fingerprint.
🟤intext:"active_batch_requests" -site:github.comDeepgram Self-HostedDeepgram Self-Hosted body fingerprint.
🟤intext:"_catalog" -site:github.comDocker RegistryDocker Registry body fingerprint.
🟤intext:"dyad-generated-app" -site:github.comDyadDyad body fingerprint.
🟤intext:"f5-tts" -site:github.comF5-TTS / E2-TTSF5-TTS / E2-TTS body fingerprint.
🟤intext:"F5_TTS" -site:github.comF5-TTS / E2-TTSF5-TTS / E2-TTS body fingerprint.
🟤intext:"FastMCP" -site:github.comFastMCPFastMCP body fingerprint.
🟤intext:"fauxpilot" -site:github.comFauxPilotFauxPilot body fingerprint.
🟤intext:"codegen" -site:github.comFauxPilotFauxPilot body fingerprint.
🟤intext:"feast" -site:github.comFeast Feature StoreFeast Feature Store body fingerprint.
🟤intext:"feature_names" -site:github.comFeast Feature StoreFeast Feature Store body fingerprint.
🟤intext:"flyteadmin" -site:github.comFlyteFlyte body fingerprint.
🟤intext:"gpt_researcher" -site:github.comGPT ResearcherGPT Researcher body fingerprint.
🟤intext:"gpt-researcher" -site:github.comGPT ResearcherGPT Researcher body fingerprint.
🟤intext:"GPT4All" -site:github.comGPT4AllGPT4All body fingerprint.
🟤intext:"gr-app" -site:github.comGradioGradio body fingerprint.
🟤intext:"great_expectations" -site:github.comGreat ExpectationsGreat Expectations body fingerprint.
🟤intext:"guardrails-ai" -site:github.comGuardrails AIGuardrails AI body fingerprint.
🟤intext:"guardrailsai.com" -site:github.comGuardrails AIGuardrails AI body fingerprint.
🟤intext:"hexstrike-ai" -site:github.comHexStrike AIHexStrike AI body fingerprint.
🟤intext:"hexstrike" -site:github.comHexStrike AIHexStrike AI body fingerprint.
🟤intext:"deepseek-v4-pro" -site:github.comHoneypot / Canary (fabricated model names)Honeypot / Canary (fabricated model names) body fingerprint.
🟤intext:"glm-4.7-flash" -site:github.comHoneypot / Canary (fabricated model names)Honeypot / Canary (fabricated model names) body fingerprint.
🟤intext:"tokenization_workers" -site:github.comHugging Face TGIHugging Face TGI body fingerprint.
🟤intext:"text-generation-inference" -site:github.comHugging Face TGIHugging Face TGI body fingerprint.
🟤intext:"inspect-ai" -site:github.comInspect AI (UK AISI)Inspect AI (UK AISI) body fingerprint.
🟤intext:"ai-proxy" -site:github.comKong AI GatewayKong AI Gateway body fingerprint.
🟤intext:"kotaemon" -site:github.comKotaemonKotaemon body fingerprint.
🟤intext:"kubeflow" -site:github.comKubeflowKubeflow body fingerprint.
🟤intext:"ml-pipeline" -site:github.comKubeflowKubeflow body fingerprint.
🟤intext:"llama-factory" -site:github.comLLaMA FactoryLLaMA Factory body fingerprint.
🟤intext:"lm studio" -site:github.comLM StudioLM Studio body fingerprint.
🟤intext:"lakera-guard" -site:github.comLakera GuardLakera Guard body fingerprint.
🟤intext:"lakera" -site:github.comLakera GuardLakera Guard body fingerprint.
🟤intext:"lancedb" -site:github.comLanceDBLanceDB body fingerprint.
🟤intext:"livekit-agents" -site:github.comLiveKit AgentsLiveKit Agents body fingerprint.
🟤intext:"localai" -site:github.comLocalAILocalAI body fingerprint.
🟤intext:"modelcontextprotocol" -site:github.comMCP Server (generic)MCP Server (generic) body fingerprint.
🟤intext:"mcp.json" -site:github.comMCP Server (generic)MCP Server (generic) body fingerprint.
🟤intext:"marquezproject" -site:github.comMarquez (OpenLineage)Marquez (OpenLineage) body fingerprint.
🟤intext:"mem0migrations" -site:github.comMem0Mem0 body fingerprint.
🟤intext:"memgraph" -site:github.comMemgraphMemgraph body fingerprint.
🟤intext:"milvus" -site:github.comMilvusMilvus body fingerprint.
🟤intext:"mozilla-tts" -site:github.comMozilla TTSMozilla TTS body fingerprint.
🟤intext:"nemo-guardrails" -site:github.comNeMo GuardrailsNeMo Guardrails body fingerprint.
🟤intext:"nemoguardrails" -site:github.comNeMo GuardrailsNeMo Guardrails body fingerprint.
🟤intext:"neo4j_version" -site:github.comNeo4jNeo4j body fingerprint.
🟤intext:"neon.tech" -site:github.comNeon PostgresNeon Postgres body fingerprint.
🟤intext:"open-webui" -site:github.comOpen WebUIOpen WebUI body fingerprint.
🟤intext:"clawdbot" -site:github.comOpenClaw / ClawdbotOpenClaw / Clawdbot body fingerprint.
🟤intext:"opendevin" -site:github.comOpenHands (formerly OpenDevin)OpenHands (formerly OpenDevin) body fingerprint.
🟤intext:"opensearch" -site:github.comOpenSearchOpenSearch body fingerprint.
🟤intext:"opensearch-dashboards" -site:github.comOpenSearchOpenSearch body fingerprint.
🟤intext:"se_extractor" -site:github.comOpenVoiceOpenVoice body fingerprint.
🟤intext:"optuna" -site:github.comOptuna DashboardOptuna Dashboard body fingerprint.
🟤intext:"Orpheus" -site:github.comOrpheus-FastAPI TTSOrpheus-FastAPI TTS body fingerprint.
🟤intext:"pipecat-ai" -site:github.comPipecatPipecat body fingerprint.
🟤intext:"piper-tts" -site:github.comPiper TTSPiper TTS body fingerprint.
🟤intext:"piper-http" -site:github.comPiper TTSPiper TTS body fingerprint.
🟤intext:"playwright-mcp" -site:github.comPlaywright MCP ServerPlaywright MCP Server body fingerprint.
🟤intext:"prefect" -site:github.comPrefect ServerPrefect Server body fingerprint.
🟤intext:"privategpt" -site:github.comPrivateGPTPrivateGPT body fingerprint.
🟤intext:"prodigy" -site:github.comProdigyProdigy body fingerprint.
🟤intext:"pyannote" -site:github.comPyannotePyannote body fingerprint.
🟤intext:"quivr" -site:github.comQuivrQuivr body fingerprint.
🟤intext:"ragapp" -site:github.comRagappRagapp body fingerprint.
🟤intext:"/admin" -site:github.comRagappRagapp body fingerprint.
🟤intext:"coding_assistant_caps" -site:github.comRefact.ai (self-hosted)Refact.ai (self-hosted) body fingerprint.
🟤intext:"refact-caps" -site:github.comRefact.ai (self-hosted)Refact.ai (self-hosted) body fingerprint.
🟤intext:"Restate" -site:github.comRestateRestate body fingerprint.
🟤intext:"restatedev" -site:github.comRestateRestate body fingerprint.
🟤intext:"retell-ai" -site:github.comRetell AIRetell AI body fingerprint.
🟤intext:"retell-sdk" -site:github.comRetell AIRetell AI body fingerprint.
🟤intext:"sglang" -site:github.comSGLangSGLang body fingerprint.
🟤intext:"swe-agent" -site:github.comSWE-agentSWE-agent body fingerprint.
🟤intext:"swe-bench" -site:github.comSWE-agentSWE-agent body fingerprint.
🟤intext:"selenium" -site:github.comSelenium GridSelenium Grid body fingerprint.
🟤intext:"skyvern" -site:github.comSkyvernSkyvern body fingerprint.
🟤intext:"sourcegraph-frontend" -site:github.comSourcegraph / CodySourcegraph / Cody body fingerprint.
🟤intext:"speechbrain.pretrained" -site:github.comSpeechBrainSpeechBrain body fingerprint.
🟤intext:"txt2img" -site:github.comStable Diffusion WebUI (AUTOMATIC1111)Stable Diffusion WebUI (AUTOMATIC1111) body fingerprint.
🟤intext:"streamlit-app" -site:github.comStreamlitStreamlit body fingerprint.
🟤intext:"styletts2" -site:github.comStyleTTS2StyleTTS2 body fingerprint.
🟤intext:"supabase" -site:github.comSupabaseSupabase body fingerprint.
🟤intext:"surrealdb" -site:github.comSurrealDBSurrealDB body fingerprint.
🟤intext:"sweepai" -site:github.comSweep AISweep AI body fingerprint.
🟤intext:"tabbyml" -site:github.comTabby (TabbyML)Tabby (TabbyML) body fingerprint.
🟤intext:"model_version_status" -site:github.comTensorFlow ServingTensorFlow Serving body fingerprint.
🟤intext:"serving_default" -site:github.comTensorFlow ServingTensorFlow Serving body fingerprint.
🟤intext:"text-embeddings-inference" -site:github.comText Embeddings Inference (TEI)Text Embeddings Inference (TEI) body fingerprint.
🟤intext:"feature-extraction" -site:github.comText Embeddings Inference (TEI)Text Embeddings Inference (TEI) body fingerprint.
🟤intext:"timescaledb" -site:github.comTimescale / TimescaleDBTimescale / TimescaleDB body fingerprint.
🟤intext:"tortoise-tts" -site:github.comTortoise TTSTortoise TTS body fingerprint.
🟤intext:"voice_samples" -site:github.comTortoise TTSTortoise TTS body fingerprint.
🟤intext:"trulens_feedback" -site:github.comTruLensTruLens body fingerprint.
🟤intext:"typesense" -site:github.comTypesenseTypesense body fingerprint.
🟤intext:"unsloth" -site:github.comUnslothUnsloth body fingerprint.
🟤intext:"unstructured-api" -site:github.comUnstructured APIUnstructured API body fingerprint.
🟤intext:"Verba" -site:github.comVerbaVerba body fingerprint.
🟤intext:"goldenverba" -site:github.comVerbaVerba body fingerprint.
🟤intext:"vespa" -site:github.comVespaVespa body fingerprint.
🟤intext:"vigil" -site:github.comVigil LLMVigil LLM body fingerprint.
🟤intext:"vocode" -site:github.comVocodeVocode body fingerprint.
🟤intext:"vocode-python" -site:github.comVocodeVocode body fingerprint.
🟤intext:"wandb" -site:github.comWeights & Biases (W&B)Weights & Biases (W&B) body fingerprint.
🟤intext:"wandb-local" -site:github.comWeights & Biases (W&B)Weights & Biases (W&B) body fingerprint.
🟤intext:"faster-whisper" -site:github.comWhisper ASRWhisper ASR body fingerprint.
🟤intext:"windmill.dev" -site:github.comWindmillWindmill body fingerprint.
🟤intext:"worker_count" -site:github.comWindmillWindmill body fingerprint.
🟤intext:"bolt.diy" -site:github.combolt.diy / bolt.newbolt.diy / bolt.new body fingerprint.
🟤intext:"bolt.new" -site:github.combolt.diy / bolt.newbolt.diy / bolt.new body fingerprint.
🟤intext:"code-server" -site:github.comcode-server (Coder)code-server (Coder) body fingerprint.
🟤intext:"coder-options" -site:github.comcode-server (Coder)code-server (Coder) body fingerprint.
🟤intext:"dcm4che" -site:github.comdcm4chee Archivedcm4chee Archive body fingerprint.
🟤intext:"dcm4chee-arc" -site:github.comdcm4chee Archivedcm4chee Archive body fingerprint.
🟤intext:"h2oGPT" -site:github.comh2oGPTh2oGPT body fingerprint.
🟤intext:"infinity_emb" -site:github.cominfinity-embeddinginfinity-embedding body fingerprint.
🟤intext:"llama.cpp" -site:github.comllama.cppllama.cpp body fingerprint.
🟤intext:"pgvector" -site:github.compgvectorpgvector body fingerprint.
🟤intext:"so-vits-svc" -site:github.comso-vits-svcso-vits-svc body fingerprint.

Vulnerable Files

60 dorks

TDorkServiceCVENotes
🟡inurl:"/agents" intext:"Agno"AgnoAgno endpoint co-anchored on ‘Agno’. Pre-run disclosure: agent descriptions name data sources (PostgreSQL, email, Asana). Manifest = CRITICAL.
🟡inurl:"/api/v1/settings" intext:"Argo"Argo CDArgo CD endpoint co-anchored on ‘Argo’. Public-by-design; OIDC issuer URL discloses Azure AD tenant UUID / Okta hostname = operator attribution.
🟡inurl:"/v1/traces" intext:"Arize"Arize PhoenixArize Phoenix endpoint co-anchored on ‘Arize’. Returns 200 to unauthenticated POST on 100% of surveyed instances. OTLP data-poisoning of cost analytics + eval scores.
🟡inurl:"/api/version" intext:"AutoGen"AutoGen StudioAutoGen Studio endpoint co-anchored on ‘AutoGen’. Returns Microsoft AutoGen version JSON. Auth disabled by default; /api/teams leaks inline API keys.
🟡inurl:"/api/v2/tenants/default_tenant/databases/default_database/collections" -site:github.comChromaDBChromaDB: v2 collection path, no auth on default. RAG knowledge bases + agent memory + PII docs.
🟡inurl:"/api/v2/tenants/default_tenant/databases/default_database/collections" intext:"ChromaDB"ChromaDBChromaDB endpoint co-anchored on ‘ChromaDB’. v2 collection path, no auth on default. RAG knowledge bases + agent memory + PII docs.
🟡inurl:"/api/v1/cognify" -site:github.comCogneeCognee: Knowledge-graph ingestion endpoint. Memory pipeline surface.
🟡inurl:"/api/v1/cognify" intext:"Cognee"CogneeCognee endpoint co-anchored on ‘Cognee’. Knowledge-graph ingestion endpoint. Memory pipeline surface.
🟡inurl:"/v1/catalog/services" intext:"Consul"ConsulConsul endpoint co-anchored on ‘Consul’. Service catalog. Internal topology.
🟡inurl:"/v2/_catalog" intext:"Registry"Docker RegistryDocker Registry endpoint co-anchored on ‘Registry’. Image catalog. Operator attribution via image names (Jetson, PACS, finance).
🟡inurl:"/config_dump" intext:"Envoy"Envoy AdminEnvoy Admin endpoint co-anchored on ‘Envoy’. Full Envoy config JSON. downstream_auth_password.inline_string = plaintext Redis-AUTH.
🟡inurl:"/v1/sys/health" intext:"HashiCorp"HashiCorp VaultHashiCorp Vault endpoint co-anchored on ‘HashiCorp’. Vault health + sealed state. Initialization status.
🟡inurl:"/v2/models/" intext:"KServe"KServeKServe endpoint co-anchored on ‘KServe’. V2 inference protocol model list.
🟡inurl:"/services" intext:"Kong"Kong AdminKong Admin endpoint co-anchored on ‘Kong’. Kong admin API (port 8001) no auth by default. Full gateway reconfiguration.
🟡inurl:"/api/v1/runs" intext:"Kubeflow"KubeflowKubeflow endpoint co-anchored on ‘Kubeflow’. Pipeline runs. ML workflow + artifact paths.
🟡inurl:"/v1/agents/" intext:"Letta"Letta/MemGPTLetta/MemGPT endpoint co-anchored on ‘Letta’. Agent memory store. Lists agents + persisted memory blocks.
🟡inurl:"/v1/model/info" intext:"LiteLLM"LiteLLMLiteLLM endpoint co-anchored on ‘LiteLLM’. Reveals litellm_params incl. real api_base behind advertised model IDs. Model-impersonation discriminator.
🟡inurl:"/api/v1/collections" -site:github.comMilvusMilvus: Collection list. Attu GUI on :3000 loads without auth.
🟡inurl:"/api/v1/collections" intext:"Milvus"MilvusMilvus endpoint co-anchored on ‘Milvus’. Collection list. Attu GUI on :3000 loads without auth.
🟡inurl:"/metrics" intext:"DCGM"NVIDIA DCGMNVIDIA DCGM endpoint co-anchored on ‘DCGM’. GPU telemetry. Utilization + process names.
🟡inurl:"/v1/policies" intext:"Policy"Open Policy AgentOpen Policy Agent endpoint co-anchored on ‘Policy’. OPA policy list. Exposes authz logic when admin API unauth.
🟡inurl:"/api/config" intext:"WebUI"Open WebUIOpen WebUI endpoint co-anchored on ‘WebUI’. Config endpoint. signup-enabled flag. First-user-admin.
🟡inurl:"/api/v1/private/projects" -site:github.comOpikOpik: Project list + operator name without auth. Full API write (experiments, prompts, datasets).
🟡inurl:"/api/v1/private/projects" intext:"Opik"OpikOpik endpoint co-anchored on ‘Opik’. Project list + operator name without auth. Full API write (experiments, prompts, datasets).
🟡inurl:"/api/user/email" -site:github.comPromptfooPromptfoo: Returns {“email”:null} unauth. Best single-probe auth detector. Provider configs + eval datasets readable.
🟡inurl:"/api/user/email" intext:"Promptfoo"PromptfooPromptfoo endpoint co-anchored on ‘Promptfoo’. Returns {“email”:null} unauth. Best single-probe auth detector. Provider configs + eval datasets readable.
🟡inurl:"/collections" intext:"Qdrant"QdrantQdrant endpoint co-anchored on ‘Qdrant’. Collection list. No auth by default. Raw embeddings + payloads.
🟡inurl:"FT._LIST" intext:"Redis"Redis StackRedis Stack endpoint co-anchored on ‘Redis’. RESP command listing all RediSearch index names. 78/78 surveyed unauth. Vector index inventory.
🟡inurl:"/hello" intext:"SuperTokens"SuperTokensSuperTokens endpoint co-anchored on ‘SuperTokens’. Returns exactly ‘Hello’ on port 3567. No API key by default. Full user identity store open.
🟡inurl:"/__vite_ping" intext:"Vite"Vite Dev ServerVite Dev Server endpoint co-anchored on ‘Vite’. Returns ‘pong’. Vite dev server in production exposes all src/ TypeScript at /src/.
🟡inurl:"/v1/objects" intext:"Weaviate"WeaviateWeaviate endpoint co-anchored on ‘Weaviate’. Object store. 100% unauth at population scale.
🟡inurl:"/api/v2/sessions-ordered" -site:github.comZep CEZep CE: Agent memory sessions. Empty api_secret default = bypass via ‘Api-Key ’ trailing space.
🟡inurl:"/api/v2/sessions-ordered" intext:"Zep"Zep CEZep CE endpoint co-anchored on ‘Zep’. Agent memory sessions. Empty api_secret default = bypass via ‘Api-Key ’ trailing space.
🟡inurl:"/v3/kv/range" intext:"etcd"etcdetcd endpoint co-anchored on ‘etcd’. Key-value range read. Cluster secrets when unauth.
🟡inurl:"/rest/settings" intext:"n8n"n8nn8n endpoint co-anchored on ‘n8n’. Returns n8n config incl. publicApi.enabled. Confirms presence; ungated-legacy pattern.
🟡inurl:"/v1/metrics" intext:"vLLM"vLLMvLLM endpoint co-anchored on ‘vLLM’. Prometheus vllm: metrics incl. model path + token counts unauth. ClimateGPT: 92M prompt tokens exposed.
inurl:"/agents" -site:github.comAgnoAgno: Pre-run disclosure: agent descriptions name data sources (PostgreSQL, email, Asana). Manifest = CRITICAL.
inurl:"/api/v1/settings" -site:github.comArgo CDArgo CD: Public-by-design; OIDC issuer URL discloses Azure AD tenant UUID / Okta hostname = operator attribution.
inurl:"/v1/traces" -site:github.comArize PhoenixArize Phoenix: Returns 200 to unauthenticated POST on 100% of surveyed instances. OTLP data-poisoning of cost analytics + eval scores.
inurl:"/api/version" -site:github.comAutoGen StudioAutoGen Studio: Returns Microsoft AutoGen version JSON. Auth disabled by default; /api/teams leaks inline API keys.
inurl:"/v1/catalog/services" -site:github.comConsulConsul: Service catalog. Internal topology.
inurl:"/v2/_catalog" -site:github.comDocker RegistryDocker Registry: Image catalog. Operator attribution via image names (Jetson, PACS, finance).
inurl:"/config_dump" -site:github.comEnvoy AdminEnvoy Admin: Full Envoy config JSON. downstream_auth_password.inline_string = plaintext Redis-AUTH.
inurl:"/v1/sys/health" -site:github.comHashiCorp VaultHashiCorp Vault: Vault health + sealed state. Initialization status.
inurl:"/v2/models/" -site:github.comKServeKServe: V2 inference protocol model list.
inurl:"/services" -site:github.comKong AdminKong Admin: Kong admin API (port 8001) no auth by default. Full gateway reconfiguration.
inurl:"/api/v1/runs" -site:github.comKubeflowKubeflow: Pipeline runs. ML workflow + artifact paths.
inurl:"/v1/agents/" -site:github.comLetta/MemGPTLetta/MemGPT: Agent memory store. Lists agents + persisted memory blocks.
inurl:"/v1/model/info" -site:github.comLiteLLMLiteLLM: Reveals litellm_params incl. real api_base behind advertised model IDs. Model-impersonation discriminator.
inurl:"/metrics" -site:github.comNVIDIA DCGMNVIDIA DCGM: GPU telemetry. Utilization + process names.
inurl:"/v1/policies" -site:github.comOpen Policy AgentOpen Policy Agent: OPA policy list. Exposes authz logic when admin API unauth.
inurl:"/api/config" -site:github.comOpen WebUIOpen WebUI: Config endpoint. signup-enabled flag. First-user-admin.
inurl:"/collections" -site:github.comQdrantQdrant: Collection list. No auth by default. Raw embeddings + payloads.
inurl:"FT._LIST" -site:github.comRedis StackRedis Stack: RESP command listing all RediSearch index names. 78/78 surveyed unauth. Vector index inventory.
inurl:"/hello" -site:github.comSuperTokensSuperTokens: Returns exactly ‘Hello’ on port 3567. No API key by default. Full user identity store open.
inurl:"/__vite_ping" -site:github.comVite Dev ServerVite Dev Server: Returns ‘pong’. Vite dev server in production exposes all src/ TypeScript at /src/.
inurl:"/v1/objects" -site:github.comWeaviateWeaviate: Object store. 100% unauth at population scale.
inurl:"/v3/kv/range" -site:github.cometcdetcd: Key-value range read. Cluster secrets when unauth.
inurl:"/rest/settings" -site:github.comn8nn8n: Returns n8n config incl. publicApi.enabled. Confirms presence; ungated-legacy pattern.
inurl:"/v1/metrics" -site:github.comvLLMvLLM: Prometheus vllm: metrics incl. model path + token counts unauth. ClimateGPT: 92M prompt tokens exposed.

Vulnerable Servers

27 dorks

TDorkServiceCVENotes
🟡intitle:"Airflow" intext:"version" -site:github.comApache AirflowCVE-2020-13927Apache Airflow version disclosure. CVE-2020-13927. auth on with 8 documented bypass patterns
🟡intitle:"Apache Flink Web Dashboard" intext:"version" -site:github.comApache FlinkCVE-2020-17518Apache Flink version disclosure. CVE-2020-17518. no auth by default
🟡intitle:"Apache Superset" intext:"version" -site:github.comApache SupersetCVE-2023-27524Apache Superset version disclosure. CVE-2023-27524. default SECRET_KEY leads to auth bypass
🟡intitle:"Argilla" intext:"version" -site:github.comArgillaCVE-2023-38686Argilla version disclosure. CVE-2023-38686. auth on since v1.x; default-public workspace misconfiguration seen
🟡intitle:"Argo" intext:"version" -site:github.comArgo WorkflowsCVE-2026-28229Argo Workflows version disclosure. CVE-2026-28229. —auth-mode=server disables all credential requirements
🟡intitle:"authentik" intext:"version" -site:github.comAuthentikCVE-2024-47070Authentik version disclosure. CVE-2024-47070. login required; /api/v3/root/config/ pre-auth accessible
🟡intitle:"CKAN" intext:"version" -site:github.comCKANCVE-2023-32321CKAN version disclosure. CVE-2023-32321. reads open by design
🟡intitle:"Casdoor" intext:"version" -site:github.comCasdoorCVE-2024-41657Casdoor version disclosure. CVE-2024-41657. default-creds built-in/admin/123
🟡intitle:"Flowise" intext:"version" -site:github.comFlowiseCVE-2024-36420Flowise version disclosure. CVE-2024-36420. mixed auth; pre-1.8.2 auth bypass via path traversal
🟡intitle:"GPT-SoVITS" intext:"version" -site:github.comGPT-SoVITSCVE-2025-49833GPT-SoVITS version disclosure. CVE-2025-49833. no auth by default; command injection RCE
🟡intitle:"GitHub Enterprise" intext:"version" -site:github.comGitHub Enterprise Server (GHES)CVE-2024-9487GitHub Enterprise Server (GHES) version disclosure. CVE-2024-9487. OAuth enforced; SAML bypass on affected versions
🟡intitle:"Grafana" intext:"version" -site:github.comGrafanaCVE-2021-43798Grafana version disclosure. CVE-2021-43798. anonymous access misconfiguration common
🟡intitle:"Jupyter" intext:"version" -site:github.comJupyter Notebook / JupyterLabCVE-2019-10255Jupyter Notebook / JupyterLab version disclosure. CVE-2019-10255. modern deployments consistently locked; older —NotebookApp.token= blank is unauth RCE
🟡intitle:"JupyterHub" intext:"version" -site:github.comJupyterHubCVE-2026-33709JupyterHub version disclosure. CVE-2026-33709. auth on by default since v1.x
🟡intitle:"Keycloak" intext:"version" -site:github.comKeycloakCVE-2024-3656Keycloak version disclosure. CVE-2024-3656. login required for admin; OIDC discovery endpoints unauthenticated
🟡intitle:"Label Studio" intext:"version" -site:github.comLabel StudioCVE-2022-25011Label Studio version disclosure. CVE-2022-25011. mandatory auth; /api/projects sometimes misconfigured readable
🟡intitle:"Langflow" intext:"version" -site:github.comLangflowCVE-2026-33017Langflow version disclosure. CVE-2026-33017. LANGFLOW_AUTO_LOGIN gating in v1.5+, often left open
🟡intitle:"MLflow" intext:"version" -site:github.comMLflowCVE-2024-37052MLflow version disclosure. CVE-2024-37052. no auth by default
🟡intitle:"Mage" intext:"version" -site:github.comMage.aiCVE-2025-2129Mage.ai version disclosure. CVE-2025-2129. no auth pre-v0.9.78; ~1,045 confirmed unauth at disclosure
🟡intitle:"Metabase" intext:"version" -site:github.comMetabaseCVE-2023-38646Metabase version disclosure. CVE-2023-38646. setup-wizard bypass; has-user-setup: false = exploitable
🟡intitle:"MinIO Browser" intext:"version" -site:github.comMinIOCVE-2023-28432MinIO version disclosure. CVE-2023-28432. default-creds minioadmin:minioadmin
🟡intitle:"Conductor UI" intext:"version" -site:github.comNetflix ConductorCVE-2020-9296Netflix Conductor version disclosure. CVE-2020-9296. no auth by default
🟡intitle:"OpenMetadata" intext:"version" -site:github.comOpenMetadataCVE-2024-28255OpenMetadata version disclosure. CVE-2024-28255. auth on but CVE-2024-28255 bypass on <1.3.1; actively exploited
🟡intitle:"RVC" intext:"version" -site:github.comRVC (Retrieval-based Voice Conversion)CVE-2025-43842RVC (Retrieval-based Voice Conversion) version disclosure. CVE-2025-43842. no auth by default; RCE via pickle deserialization
🟡intitle:"Ray Dashboard" intext:"version" -site:github.comRay DashboardCVE-2023-48022Ray Dashboard version disclosure. CVE-2023-48022. no auth; ShadowRay actively exploited
🟡intitle:"RedisInsight" intext:"version" -site:github.comRedisCVE-2025-49844Redis version disclosure. CVE-2025-49844. no password by default on ~68k of 245k instances
🟡intitle:"n8n" intext:"version" -site:github.comn8nCVE-2024-25289n8n version disclosure. CVE-2024-25289. basicauth optional and frequently skipped

Error Messages

27 dorks

TDorkServiceCVENotes
🟡"anthropic.AuthenticationError" -site:github.com -site:stackoverflow.comAnthropic SDKAnthropic SDK auth error in production traceback.
🟡"Traceback (most recent call last)" intext:"uvicorn" intext:"openai" -site:github.com -site:stackoverflow.comFastAPIFastAPI/uvicorn traceback in an LLM app. Full call stack + file paths.
🟡"litellm.exceptions.AuthenticationError" -site:github.com -site:stackoverflow.comLiteLLMLiteLLM auth exception. Reveals proxy config + provider.
🟡"mlflow.exceptions.MlflowException" -site:github.com -site:stackoverflow.comMLflowMLflow exception. Experiment names, artifact paths, tracking URI.
🟡"openai.AuthenticationError" -site:github.com -site:stackoverflow.comOpenAI SDKOpenAI SDK auth-error traceback in a DEBUG-mode app. Leaks call site + sometimes key tail.
🟡"openai.RateLimitError" "Traceback" -site:github.com -site:stackoverflow.comOpenAI SDKOpenAI rate-limit traceback. Confirms live key + the calling code path.
🟡"qdrant_client.http.exceptions.UnexpectedResponse" -site:github.com -site:stackoverflow.comQdrantQdrant client exception. Leaks collection names + endpoint.
🟡"streamlit" "KeyError" intext:"st.secrets" -site:github.com -site:stackoverflow.comStreamlitStreamlit secrets KeyError. Confirms a secrets.toml exists and names its keys.
🟡"weaviate.exceptions.UnexpectedStatusCodeException" -site:github.com -site:stackoverflow.comWeaviateWeaviate client exception. Leaks schema/class names + host.
🟡"transformers" "is not a local folder and is not a valid model identifier" -site:github.com -site:stackoverflow.comtransformersTransformers model-load error leaking the local filesystem path attempted.
"anthropic.APIStatusError" -site:github.com -site:stackoverflow.comAnthropic SDKAnthropic API status error leaked in app output.
"chromadb.errors" "Traceback" -site:github.com -site:stackoverflow.comChromaDBChromaDB error traceback. Collection + tenant disclosure.
"pydantic_core._pydantic_core.ValidationError" intext:"openai" -site:github.com -site:stackoverflow.comFastAPIPydantic validation traceback in an OpenAI-using FastAPI app.
"torch.cuda.OutOfMemoryError" -site:github.com -site:stackoverflow.comGPU inferenceCUDA OOM traceback. Confirms a live GPU inference box, leaks model + device.
"CUDA out of memory. Tried to allocate" -site:github.com -site:stackoverflow.comGPU inferenceVerbatim CUDA OOM string. GPU model-serving box in DEBUG.
"gradio" "Traceback (most recent call last)" -site:github.com -site:stackoverflow.comGradioGradio app traceback. Reveals handler code + file paths.
"huggingface_hub.utils._errors.RepositoryNotFoundError" -site:github.com -site:stackoverflow.comHuggingFaceHF hub repo-not-found traceback. Leaks attempted model id + token state.
"huggingface_hub" "GatedRepoError" -site:github.com -site:stackoverflow.comHuggingFaceHF gated-repo error. Reveals model id + that a token was used.
"Internal Server Error" intext:"langchain" -site:github.com -site:stackoverflow.comLangChainLangChain app 500 leaking framework in body.
"langchain_core.exceptions.OutputParserException" -site:github.com -site:stackoverflow.comLangChainLangChain output-parser exception. Leaks prompt/chain structure.
"mlflow.exceptions.RestException" -site:github.com -site:stackoverflow.comMLflowMLflow REST exception in production.
"ollama._types.ResponseError" -site:github.com -site:stackoverflow.comOllamaOllama python client error traceback.
"llama runner process has terminated" -site:github.com -site:stackoverflow.comOllamaOllama runner crash string. Confirms live Ollama + model load failure.
"pinecone" "ApiException" "Traceback" -site:github.com -site:stackoverflow.comPineconePinecone client exception. Index name + environment leak.
"redis.exceptions.ConnectionError" "Traceback" -site:github.com -site:stackoverflow.comRedisRedis connection error. Host + port of the cache/vector layer.
"sqlalchemy.exc.OperationalError" intext:"pgvector" -site:github.com -site:stackoverflow.compgvectorSQLAlchemy error referencing pgvector. DB host + sometimes DSN.
"vllm.engine" "RayActorError" -site:github.com -site:stackoverflow.comvLLMvLLM+Ray engine error. Cluster topology disclosure.

Files Containing Juicy Info

24 dorks

TDorkServiceCVENotes
intext:"AKIA" "AWS_SECRET_ACCESS_KEY" -site:github.comAWSAWS AKIA co-anchored with AWS_SECRET_ACCESS_KEY (prefix too broad alone).
intext:"AWS_ACCESS_KEY_ID" filetype:envAWSAWS AWS_ACCESS_KEY_ID env-var in .env file.
intext:"AGENTA_AUTH_KEY" "agenta" -site:github.comAgentaAgenta AGENTA_AUTH_KEY co-anchored with agenta (prefix too broad alone).
intext:"ANTHROPIC_API_KEY" filetype:envAnthropicAnthropic ANTHROPIC_API_KEY env-var in .env file.
intext:"GITHUB_TOKEN" filetype:envGitHubGitHub GITHUB_TOKEN env-var in .env file.
intext:"GITLAB_TOKEN" filetype:envGitLabGitLab GITLAB_TOKEN env-var in .env file.
intext:"AIzaSy" "generativelanguage" -site:github.comGoogle/GeminiGoogle/Gemini AIzaSy co-anchored with generativelanguage (prefix too broad alone).
intext:"GOOGLE_API_KEY" filetype:envGoogle/GeminiGoogle/Gemini GOOGLE_API_KEY env-var in .env file.
intext:"gsk_" "GROQ_API_KEY" -site:github.comGroqGroq gsk_ co-anchored with GROQ_API_KEY (prefix too broad alone).
intext:"GROQ_API_KEY" filetype:envGroqGroq GROQ_API_KEY env-var in .env file.
intext:"hf_" "HF_TOKEN" -site:github.comHuggingFaceHuggingFace hf_ co-anchored with HF_TOKEN (prefix too broad alone).
intext:"HF_TOKEN" filetype:envHuggingFaceHuggingFace HF_TOKEN env-var in .env file.
intext:"LANGSMITH_API_KEY" filetype:envLangSmithLangSmith LANGSMITH_API_KEY env-var in .env file.
intext:"LANGFUSE_SECRET_KEY" filetype:envLangfuseLangfuse LANGFUSE_SECRET_KEY env-var in .env file.
intext:"LANGFUSE_PUBLIC_KEY" filetype:envLangfuseLangfuse LANGFUSE_PUBLIC_KEY env-var in .env file.
intext:"NEXTAUTH_SECRET" "langfuse" -site:github.comLangfuseLangfuse NEXTAUTH_SECRET co-anchored with langfuse (prefix too broad alone).
intext:"ENCRYPTION_KEY" "langfuse" -site:github.comLangfuseLangfuse ENCRYPTION_KEY co-anchored with langfuse (prefix too broad alone).
intext:"sk-proj-" "openai" -site:github.comOpenAIOpenAI sk-proj- co-anchored with openai (prefix too broad alone).
intext:"OPENAI_API_KEY" filetype:envOpenAIOpenAI OPENAI_API_KEY env-var in .env file.
intext:"sk-svcacct-" "openai" -site:github.comOpenAIOpenAI sk-svcacct- co-anchored with openai (prefix too broad alone).
intext:"phc_" "posthog" -site:github.comPostHogPostHog phc_ co-anchored with posthog (prefix too broad alone).
intext:"POSTHOG_API_KEY" filetype:envPostHogPostHog POSTHOG_API_KEY env-var in .env file.
intext:"SG." "SENDGRID_API_KEY" -site:github.comSendGridSendGrid SG. co-anchored with SENDGRID_API_KEY (prefix too broad alone).
intext:"SENDGRID_API_KEY" filetype:envSendGridSendGrid SENDGRID_API_KEY env-var in .env file.

Files Containing Passwords

75 dorks

TDorkServiceCVENotes
🟡intitle:"index of" ".aws" intext:"credentials"AWSAWS credentials file (Bedrock/SageMaker access) in open dir.
🟡intext:"sk-ant-api03-" -site:github.comAnthropicAnthropic ANTHROPIC_API_KEY (sk-ant-api03-) in page body. Vendor-unique prefix.
🟡intext:"sk-ant-api03-" filetype:envAnthropicAnthropic sk-ant-api03- in .env file.
🟡filetype:json intext:"ANTHROPIC_API_KEY" -site:github.comAnthropic configJSON config leaking Anthropic key (Next.js manifest, deploy config).
🟡inurl:"airflow.cfg" intext:"sql_alchemy_conn"Apache AirflowAirflow config: sql_alchemy_conn embeds DB password; fernet_key nearby.
🟡filetype:cfg intext:"fernet_key" intext:"airflow"Apache AirflowAirflow Fernet key. Decrypts all stored connection passwords + Variables.
🟡inurl:"superset_config.py" intext:"SECRET_KEY"Apache SupersetSuperset SECRET_KEY (CVE-2023-27524 class). Session forge to admin.
🟡intext:"bt_v1_" -site:github.comBraintrustBraintrust key/token (bt_v1_) in page body. Vendor-unique prefix.
🟡intext:"bt_v1_" filetype:envBraintrustBraintrust bt_v1_ in .env file.
🟡intext:".claude/settings.json" -site:github.comClaude CodeClaude Code key/token (.claude/settings.json) in page body. Vendor-unique prefix.
🟡intext:".claude/settings.json" filetype:envClaude CodeClaude Code .claude/settings.json in .env file.
🟡intext:"COHERE_API_KEY" -site:github.comCohereCohere COHERE_API_KEY (COHERE_API_KEY) in page body. Vendor-unique prefix.
🟡intext:"COHERE_API_KEY" filetype:envCohereCohere COHERE_API_KEY in .env file.
🟡intext:"DEEPSEEK_API_KEY" -site:github.comDeepSeekDeepSeek DEEPSEEK_API_KEY (DEEPSEEK_API_KEY) in page body. Vendor-unique prefix.
🟡intext:"DEEPSEEK_API_KEY" filetype:envDeepSeekDeepSeek DEEPSEEK_API_KEY in .env file.
🟡filetype:json intext:"service_account" intext:"private_key" intext:"vertex"GCP VertexGCP service-account JSON for Vertex AI.
🟡intext:"ghp_" -site:github.comGitHubGitHub GITHUB_TOKEN (ghp_) in page body. Vendor-unique prefix.
🟡intext:"ghp_" filetype:envGitHubGitHub ghp_ in .env file.
🟡intext:"gho_" -site:github.comGitHubGitHub key/token (gho_) in page body. Vendor-unique prefix.
🟡intext:"gho_" filetype:envGitHubGitHub gho_ in .env file.
🟡intext:"ghs_" -site:github.comGitHubGitHub key/token (ghs_) in page body. Vendor-unique prefix.
🟡intext:"ghs_" filetype:envGitHubGitHub ghs_ in .env file.
🟡intext:"glpat-" -site:github.comGitLabGitLab GITLAB_TOKEN (glpat-) in page body. Vendor-unique prefix.
🟡intext:"glpat-" filetype:envGitLabGitLab glpat- in .env file.
🟡intext:"sk-helicone-" -site:github.comHeliconeHelicone key/token (sk-helicone-) in page body. Vendor-unique prefix.
🟡intext:"sk-helicone-" filetype:envHeliconeHelicone sk-helicone- in .env file.
🟡filetype:env intext:"HF_TOKEN" -site:github.com -intext:"hf_xxxx"HuggingFaceHuggingFace token in .env. Model/dataset/Space write.
🟡intext:"hl_pk_" -site:github.comHumanloopHumanloop key/token (hl_pk_) in page body. Vendor-unique prefix.
🟡intext:"hl_pk_" filetype:envHumanloopHumanloop hl_pk_ in .env file.
🟡inurl:"jupyter_server_config.json" intext:"password"JupyterJupyter server config with hashed/plain password or token.
🟡intext:"LAGO_RSA_PRIVATE_KEY" -site:github.comLagoLago LAGO_RSA_PRIVATE_KEY (LAGO_RSA_PRIVATE_KEY) in page body. Vendor-unique prefix.
🟡intext:"LAGO_RSA_PRIVATE_KEY" filetype:envLagoLago LAGO_RSA_PRIVATE_KEY in .env file.
🟡intext:"lsv2_pt_" -site:github.comLangSmithLangSmith LANGSMITH_API_KEY (lsv2_pt_) in page body. Vendor-unique prefix.
🟡intext:"lsv2_pt_" filetype:envLangSmithLangSmith lsv2_pt_ in .env file.
🟡intext:"lsv2_sk_" -site:github.comLangSmithLangSmith LANGSMITH_API_KEY (lsv2_sk_) in page body. Vendor-unique prefix.
🟡intext:"lsv2_sk_" filetype:envLangSmithLangSmith lsv2_sk_ in .env file.
🟡intext:"sk-lf-" -site:github.comLangfuseLangfuse LANGFUSE_SECRET_KEY (sk-lf-) in page body. Vendor-unique prefix.
🟡intext:"sk-lf-" filetype:envLangfuseLangfuse sk-lf- in .env file.
🟡intext:"pk-lf-" -site:github.comLangfuseLangfuse LANGFUSE_PUBLIC_KEY (pk-lf-) in page body. Vendor-unique prefix.
🟡intext:"pk-lf-" filetype:envLangfuseLangfuse pk-lf- in .env file.
🟡filetype:env intext:"LANGFUSE_SECRET_KEY" intext:"sk-lf-"LangfuseLangfuse secret key in .env, prefix-confirmed.
🟡intitle:"index of" "litellm_config.yaml" intext:"api_key"LiteLLMLiteLLM proxy config in open dir, provider keys in model_list.
🟡filetype:yaml intext:"api_key" intext:"openai" -sample -exampleLiteLLM/app yamlYAML config (LiteLLM/app) with inline OpenAI api_key.
🟡intext:"MISTRAL_API_KEY" -site:github.comMistralMistral MISTRAL_API_KEY (MISTRAL_API_KEY) in page body. Vendor-unique prefix.
🟡intext:"MISTRAL_API_KEY" filetype:envMistralMistral MISTRAL_API_KEY in .env file.
🟡intext:"OPENAI_API_KEY=sk-" -site:github.comOpenAIOpenAI OPENAI_API_KEY (OPENAI_API_KEY=sk-) in page body. Vendor-unique prefix.
🟡intext:"OPENAI_API_KEY=sk-" filetype:envOpenAIOpenAI OPENAI_API_KEY=sk- in .env file.
🟡filetype:env intext:"OPENAI_API_KEY" -site:github.com -intext:"your-key"OpenAI .envLive .env leaking OpenAI key. Strip placeholder values.
🟡filetype:sh intext:"export OPENAI_API_KEY=sk-"OpenAI shellShell script exporting a live OpenAI key.
🟡intext:"sk-or-v1-" -site:github.comOpenRouterOpenRouter key/token (sk-or-v1-) in page body. Vendor-unique prefix.
🟡intext:"sk-or-v1-" filetype:envOpenRouterOpenRouter sk-or-v1- in .env file.
🟡intext:"xoxb-" -site:github.comSlackSlack key/token (xoxb-) in page body. Vendor-unique prefix.
🟡intext:"xoxb-" filetype:envSlackSlack xoxb- in .env file.
🟡intext:"xapp-" -site:github.comSlackSlack key/token (xapp-) in page body. Vendor-unique prefix.
🟡intext:"xapp-" filetype:envSlackSlack xapp- in .env file.
🟡filetype:toml intext:"openai" intext:"api_key" -example -templateStreamlit secretsStreamlit secrets.toml or pyproject with inline OpenAI key.
🟡intext:"pk_live_" -site:github.comStripeStripe key/token (pk_live_) in page body. Vendor-unique prefix.
🟡intext:"pk_live_" filetype:envStripeStripe pk_live_ in .env file.
🟡intext:"sk_live_" -site:github.comStripeStripe key/token (sk_live_) in page body. Vendor-unique prefix.
🟡intext:"sk_live_" filetype:envStripeStripe sk_live_ in .env file.
🟡filetype:log intext:"Bearer sk-" -site:github.comkey-in-logsLog file capturing Authorization: Bearer sk- key.
🟡filetype:env "OPENAI_API_KEY" "ANTHROPIC_API_KEY" "GROQ_API_KEY"multi-providerMulti-provider .env dump. Three keys, one file.
🟡inurl:".n8n" intext:"encryptionKey"n8nn8n encryptionKey. Decrypts all stored workflow credentials.
🟡intitle:"index of" ".env.production" intext:"KEY"prod .envProduction .env in an open dir.
filetype:py intext:"SQLALCHEMY_DATABASE_URI" intext:"superset"Apache SupersetSuperset DB URI with embedded credentials.
filetype:env intext:"DEEPSEEK_API_KEY"DeepSeekDeepSeek API key in .env.
filetype:env intext:"GROQ_API_KEY"GroqGroq API key in .env.
inurl:"config.yaml" intext:"huggingfacehub_api_token"LangChainLangChain/LlamaIndex config with HF hub token.
intitle:"index of" "basic_auth.ini" intext:"mlflow"MLflowMLflow basic-auth store. Username:bcrypt pairs for the tracking server.
filetype:env intext:"PINECONE_API_KEY"PineconePinecone API key in .env.
filetype:env intext:"QDRANT_API_KEY" -site:github.comQdrantQdrant API key in .env.
inurl:"redis.conf" intext:"requirepass"RedisRedis (vector/cache layer) password in config.
filetype:env intext:"WEAVIATE_API_KEY"WeaviateWeaviate API key in .env.
filetype:log intext:"api_key" intext:"openai" -site:github.comkey-in-logsApp log leaking openai api_key value.
filetype:env intext:"DATABASE_URL" intext:"postgres" intext:"vector"pgvectorpgvector Postgres URL with embedded password.

Various Online Devices

38 dorks

TDorkServiceCVENotes
🟡intitle:"CodeProject.AI Server"CodeProject.AICodeProject.AI edge inference server (port 32168). Repo: 39 confirmed. Open detection API.
🟡intitle:"Frigate" inurl:camerasFrigate NVRFrigate NVR (AI object detection). Repo: 205 found, 15 leak RTSP camera creds in plaintext via /api/config.
🟡intext:"frigate" "rtsp://" inurl:configFrigate NVRFrigate config exposing rtsp:// URLs with embedded camera credentials.
🟡intext:"GPT-SoVITS" inurl:api -site:github.comGPT-SoVITSCVE-2025-49833GPT-SoVITS open inference/device endpoint. no auth by default; command injection RCE
🟡intext:"DCGM_FI_DEV_GPU_TEMP"NVIDIA DCGMNVIDIA DCGM exporter /metrics. GPU temp/util/process names, no auth.
🟡intitle:"index of" "dustynv" intext:"l4t"NVIDIA JetsonNVIDIA Jetson container catalog (dustynv/l4t images). Edge-AI operator attribution.
🟡intext:"RVC" inurl:api -site:github.comRVC (Retrieval-based Voice Conversion)CVE-2025-43842RVC (Retrieval-based Voice Conversion) open inference/device endpoint. no auth by default; RCE via pickle deserialization
intext:"Applio" inurl:api -site:github.comApplioApplio open inference/device endpoint. no auth by default
intext:"Bark" inurl:api -site:github.comBark TTSBark TTS open inference/device endpoint. no auth by default
intext:"ChatTTS" inurl:api -site:github.comChatTTSChatTTS open inference/device endpoint. no auth by default
intext:"Chatterbox TTS" inurl:api -site:github.comChatterbox TTSChatterbox TTS open inference/device endpoint. no auth; /upload_reference unauth on both variants
inurl:"vision/detection" intext:"CodeProject"CodeProject.AICodeProject.AI detection endpoint.
intext:"Coqui" inurl:api -site:github.comCoqui TTSCoqui TTS open inference/device endpoint. no auth by default
intext:"Coral" intext:"edgetpu" inurl:detectCoral EdgeTPUGoogle Coral EdgeTPU detection endpoint.
intitle:"DeepStack" inurl:adminDeepStackDeepStack AI server admin (port 5000). Repo: 24 confirmed.
intitle:"ESP32-CAM" -com -netESP32-CAMESP32-CAM (often paired with edge AI detection).
intitle:"GPUStack"GPUStackGPUStack cluster dashboard. GPU inventory + model scheduling.
intitle:"Home Assistant" intext:"Ollama"Home AssistantHome Assistant with Ollama integration. Local LLM wired to home automation.
intext:"Kokoro" inurl:api -site:github.comKokoro TTS / Kokoro-FastAPIKokoro TTS / Kokoro-FastAPI open inference/device endpoint. no auth by default
intitle:"LM Studio" intext:"server" inurl:1234LM StudioLM Studio local server mode on a workstation.
intext:"LiveKit" inurl:api -site:github.comLiveKit AgentsLiveKit Agents open inference/device endpoint. JWT required for room ops; health endpoint open
intext:"jetson" intext:"nvpmodel" -com -netNVIDIA JetsonJetson board management surface (power-model config).
intitle:"NVIDIA Triton" inurl:"v2/health"NVIDIA TritonTriton inference server on an edge/appliance box.
intext:"OpenVINO Model Server" inurl:"v1/config"OpenVINOIntel OpenVINO model server config endpoint. Edge inference.
intext:"OpenVoice" inurl:api -site:github.comOpenVoiceOpenVoice open inference/device endpoint. no auth by default
intext:"Orpheus TTS" inurl:api -site:github.comOrpheus-FastAPI TTSOrpheus-FastAPI TTS open inference/device endpoint. no auth by default
intext:"Orthanc Explorer" inurl:api -site:github.comOrthanc DICOM ServerOrthanc DICOM Server open inference/device endpoint. no auth by default; PHI exposure
intext:"Pipecat" inurl:api -site:github.comPipecatPipecat open inference/device endpoint. no auth by default
intext:"Piper" inurl:api -site:github.comPiper TTSPiper TTS open inference/device endpoint. no auth by default
intitle:"Rhasspy"RhasspyRhasspy offline voice assistant. Intent config + audio device control.
intext:"SpeechBrain" inurl:api -site:github.comSpeechBrainSpeechBrain open inference/device endpoint. no auth on self-hosted wrappers
intext:"Tortoise" inurl:api -site:github.comTortoise TTSTortoise TTS open inference/device endpoint. no auth by default
intitle:"Viam" inurl:robotViamViam robotics control surface.
intext:"Whisper" inurl:api -site:github.comWhisper ASRWhisper ASR open inference/device endpoint. no auth by default
intext:"wyoming" intext:"piper" -com -netWyoming/PiperWyoming-protocol voice satellite (Piper TTS). Home voice device.
intext:"dcm4chee Archive UI" inurl:api -site:github.comdcm4chee Archivedcm4chee Archive open inference/device endpoint. Keycloak-fronted; auth state may be misconfigured
intitle:"motionEye"motionEyemotionEye surveillance (AI motion). Repo: 18 confirmed. Camera feeds + config.
intext:"SoftVC" inurl:api -site:github.comso-vits-svcso-vits-svc open inference/device endpoint. no auth by default

Advisories and Vulnerabilities

35 dorks

TDorkServiceCVENotes
🟡inurl:"/api/auth/signup" -site:github.comAgentaAgenta auth-bypass route: HTTP 200 + FIELD_ERROR = signup live. No disable toggle in OSS. Any party registers.
🟡inurl:"/api/v1/dags" -site:github.comAirflowCVE-2020-13927Airflow: DAG list. /home bypass: anon role returns authenticated dashboard.
🟡inurl:"/api/v1/dags" intext:"Airflow"AirflowCVE-2020-13927Airflow endpoint co-anchored on ‘Airflow’. DAG list. /home bypass: anon role returns authenticated dashboard.
🟡inurl:"/if/flow/initial-setup/" -site:github.comAuthentikCVE-2024-47070Authentik auth-bypass route: Setup-flow-open on fresh instances. Claimable admin.
🟡inurl:"/api/answer" -site:github.comDocsGPTCVE-2025-0868DocsGPT: RAG answer endpoint. CVE-2025-0868.
🟡inurl:"/api/answer" intext:"DocsGPT"DocsGPTCVE-2025-0868DocsGPT endpoint co-anchored on ‘DocsGPT’. RAG answer endpoint. CVE-2025-0868.
🟡inurl:"/api/v1/chatflows" -site:github.comFlowiseCVE-2024-36420Flowise: Chatflow list. Pre-1.8.2 auth bypass via path traversal.
🟡inurl:"/api/v1/chatflows" intext:"Flowise"FlowiseCVE-2024-36420Flowise endpoint co-anchored on ‘Flowise’. Chatflow list. Pre-1.8.2 auth bypass via path traversal.
🟡inurl:"/public/plugins/" -site:github.comGrafanaCVE-2021-43798Grafana: CVE-2021-43798 path traversal reads arbitrary files via plugin path.
🟡inurl:"/public/plugins/" intext:"Grafana"GrafanaCVE-2021-43798Grafana endpoint co-anchored on ‘Grafana’. CVE-2021-43798 path traversal reads arbitrary files via plugin path.
🟡intext:"deepseek-v4-pro" intext:"ollama" -site:github.comHoneypot CanaryFabricated model name (deepseek-v4-pro does not exist). Hits = deception fleet / proxy-shim, not real deployments.
🟡intext:"gemini-3-flash" intext:"ollama" -site:github.comHoneypot CanaryFabricated model name (gemini-3-flash does not exist). Hits = deception fleet / proxy-shim, not real deployments.
🟡intext:"minimax-m2.7" intext:"ollama" -site:github.comHoneypot CanaryFabricated model name (minimax-m2.7 does not exist). Hits = deception fleet / proxy-shim, not real deployments.
🟡intext:"kimi-k2.6" intext:"ollama" -site:github.comHoneypot CanaryFabricated model name (kimi-k2.6 does not exist). Hits = deception fleet / proxy-shim, not real deployments.
🟡intext:"gemma4" intext:"ollama" -site:github.comHoneypot CanaryFabricated model name (gemma4 does not exist). Hits = deception fleet / proxy-shim, not real deployments.
🟡intext:"qwen3-coder-next" intext:"ollama" -site:github.comHoneypot CanaryFabricated model name (qwen3-coder-next does not exist). Hits = deception fleet / proxy-shim, not real deployments.
🟡intext:"glm-4.7-flash" intext:"ollama" -site:github.comHoneypot CanaryFabricated model name (glm-4.7-flash does not exist). Hits = deception fleet / proxy-shim, not real deployments.
🟡inurl:"/api/2.0/mlflow/experiments/list" -site:github.comMLflowCVE-2023-1177MLflow: Experiment list. CVE-2023-1177 path traversal via artifact download.
🟡inurl:"/api/2.0/mlflow/experiments/list" intext:"MLflow"MLflowCVE-2023-1177MLflow endpoint co-anchored on ‘MLflow’. Experiment list. CVE-2023-1177 path traversal via artifact download.
🟡inurl:"/api/session/properties" -site:github.comMetabaseCVE-2023-38646Metabase: Returns setup-token. GET then POST /api/setup = full admin.
🟡inurl:"/api/session/properties" intext:"Metabase"MetabaseCVE-2023-38646Metabase endpoint co-anchored on ‘Metabase’. Returns setup-token. GET then POST /api/setup = full admin.
🟡inurl:"/api/tags" -site:github.comOllamaCVE-2024-37032Ollama: Model list. No auth. Reveals abliterated/jailbroken variants.
🟡inurl:"/api/tags" intext:"Ollama"OllamaCVE-2024-37032Ollama endpoint co-anchored on ‘Ollama’. Model list. No auth. Reveals abliterated/jailbroken variants.
🟡inurl:"/api/v1/datasets" -site:github.comRAGFlowCVE-2024-12880RAGFlow: Knowledge base list. CVE-2024-12880.
🟡inurl:"/api/v1/datasets" intext:"RAGFlow"RAGFlowCVE-2024-12880RAGFlow endpoint co-anchored on ‘RAGFlow’. Knowledge base list. CVE-2024-12880.
🟡inurl:"/api/jobs" -site:github.comRayCVE-2023-48022Ray: Job submission API. CVE-2023-48022 ShadowRay unauth RCE.
🟡inurl:"/api/jobs" intext:"Ray"RayCVE-2023-48022Ray endpoint co-anchored on ‘Ray’. Job submission API. CVE-2023-48022 ShadowRay unauth RCE.
🟡inurl:"/api/databases" -site:github.comRedisInsightRedisInsight auth-bypass route: Returns Redis connection configs with password field in plaintext. 26% leak AUTH creds.
🟡inurl:"/api/v1/database" -site:github.comSupersetCVE-2023-27524Superset: DB connection list. CVE-2023-27524 default SECRET_KEY = session forge.
🟡inurl:"/api/v1/database" intext:"Superset"SupersetCVE-2023-27524Superset endpoint co-anchored on ‘Superset’. DB connection list. CVE-2023-27524 default SECRET_KEY = session forge.
🟡inurl:"/models" -site:github.comTorchServeCVE-2023-43654TorchServe: Management API (port 8081). Model registration + nextPageToken.
🟡inurl:"/models" intext:"TorchServe"TorchServeCVE-2023-43654TorchServe endpoint co-anchored on ‘TorchServe’. Management API (port 8081). Model registration + nextPageToken.
🟡inurl:"/v2/health/ready" -site:github.comTritonCVE-2024-0087Triton: Triton health. /v2/models for model inventory.
🟡inurl:"/v2/health/ready" intext:"Triton"TritonCVE-2024-0087Triton endpoint co-anchored on ‘Triton’. Triton health. /v2/models for model inventory.
🟡inurl:"/rest/workflows" -site:github.comn8nn8n auth-bypass route: Legacy internal API returns workflow data without creds even when public API disabled.